PCX 



WORLD WrmJECTUAL PROPERTY ORGANIZATION 
Intemasioaal Bureau 




IN-raRNAHONAL APPUCATION PUBUSHED UNDER TOE PATENT COOPERATION TOEATY (PCQ 



(51) IntenntiMial Patent Classification ^ ; 
H04L 9a2 



A2 



(11) International Pnblkation Number: 
(43) International Publieation Date: 



lOJuly IW(10Xn.97) 



(21) IntematfamrfAppIlcatiOTNomlwr: PCT/US97/00286 

(22) bitematlonal Filing Date: 3 Januaiy I W (03.01.97) 



(30) Priority Data: 
08/604.870 



3 Januaiy 1996 (03.01 .96) US 
22 Fcbniaiy 1996 (22.02.96) US 



aim) Applicant mid l-^l^?^'/^^^^^ 

Chestnut Hill Avenue, Brooklmc. MA 02146 (US). 

(74) Agents: MUIRHEAD. Donald. W. et al.; P*>><2^ 

One Post Office Square. Boston, MA 02109-2170 

(US). 



(81) Designated States: AL. AM, AT, AU, AZ, BE. BG BR BY. 
CA^, CN, CZ, DE. DK, EE, ES, Fl, GB, GE, HU. lU 
IS. JP, KE, KG, KP, KR, KZ, LK, LR, LS, LT. LU, LV. 
MD, MG, MK. MN» MW. MX, NO, NZ, PL. PT. RO. RU. 
SD, SE, SO. SI, SK; tJ;;™, TO, TT, UA. UG. UZ, VN. 
ARIPO patent (KE, LS, MW. SD, SZ, UG), Eurasian patent 
(AM. AZ, BY, KG. KZ. MD, RU. TJ. TM). Bunptm patent 
(AT. BE. CH. DE. DK.ES.FI.fr. GB. GR, IE, U. LU, 
MC. NL, PT. SE), OAPI patwit (BF. BJ. CF, CG. CI. CM. 
GA. GN. ML, MR, NE, SN. TO. TO). 



Without muntational search report and to be repubiuhea 
upon receipt of^iat report. 



(54) Title: IDEAL ELECTRONIC NEGOTIATIONS 
(57) Abstract 



RESULT INFORMATION 
(MiilMITIED AR PRICE P / NO DEAL POSSIBLE 



There is described an 
electronic conununications method 
between a fiist paity and a second 
party, widi assistance from at least 
a plurality of trustees, enabling 
an electronic transaction in which 
the fiist party having a selling 
reservation price (SRP) and the 
secofld pfifty having a buying 
reservation price (BRP) may be 
coounlted to a transaction if a 
predetermined relationship between 
SRP and BRP is establidted. but 
not otherwise. The method begins 
by having each of the parties 
transmit shares of thmr respective 
reserve prices to the Ciustees. Hiese 
shares are such tliat less tfian a 
given number of them does not 
provide enough useful information 
for reconstructing the reserve prices 
while a sufficiently high number 
of them allows such reconstruction. 
Tht trustees thoi take some 
action to determine whether 
the predetermined relationship 
exists without reconstructing SRP 
and BRP. If the predetermined 

deal is possible. As used herein, "sale" is nwely representative as the m«nMc«wn m^be F^^J^^^^;^^ limitation, sau^ 
lease, li^ financing transaction, or other known or hereinafter created financial commercial or legal bwnimew. 




FOR THE PURPOSES OF INFORMATION ONLY 



Codes used to identify States party to the PCT m the fmx pages of pamfrtilels publishing intenutionai 
applications under the PCT. 



AM 


Aiiiiaiia 


GB 


' United Kingdooi 


MW 


Malawi 


AT 


Amttit 


GB 


Geofeis 


MX 


MsLks 


AU 


Ausmiis 


GN 


Guinea 


NE 


Niger 


BB 


B«Mm 


GR 


Oroooc 


NL 


Nedieriandi 


BE 


Belghim 


m 


Hungaiy 


NO 


Norway 


BF 


BislciM Fiso 


IS. 


Ireland 


NZ 


New Zealand 


BG 


Buigtna 


IT 


ftaly 


PL 


PiolaBd 


BJ 


Benin 


IP 


Japan 


PT 


PoiTiigal 


BR 


Brazil 


KB 


Kenya 


RO 


Romaiiia 


BY 


Belsnn 


KG 


Kyigyttan 


RD 


Ron tan fcdcraiion 


CA 


Ctsada 


KP 


Dcjmocfitic People's Republic 


SD 


Sudan 


CF 


Cfeotnl AlriciD RepidyUc 




of Korea 


SE 


Sweden 


CG 


Coogo 


KR 


Republic of Kocea 


SG 


Sin^ipofc 


CH 


Switxcriatnd 


KZ 




SI 


SlovcQsa 


a 


CAU d'lvoire 


U 


\ i^ecftfcmtff in 


SK 


Slovyua 


CM 




LK 


SriLnfca 


SN 


Senegal 


CN 


Qdu 


LR 


Liberia 


8Z 


Swaxtland 


CS 


CMhoilovakia 


LT 


LidHiaiiia 


TD 


and 


CZ 


Cwch RcpiMic 


LU 


Latvia**^ 


TG 




D£ 




LV 




TI 


'nipittan 


DK 


Dcomsk 


MC 




TT 


THaidad and miaso 


BE 


EstociA 


MD 


KqWWIC 01 BWNODVa 


UA 


Ukniae 


es 


Spain 


MG 


Madasatcir 


UG 


Uganda 


Fl 


Fmland 


ML 


MaH 


US 


United states of America 


FR 


Firtnoc 


MN 


MoogoBa 


uz 


Uzbekistan 


GA 


G^boQ 


MR 




VN 


Viet Nam 



W097/24833 PCT/US97/00286 

IDEAL ELECTRONIC NEGOTIATIONS 

TECHNICAL FIELD 

nw present invention relates geneiaUy to secure electronic communications 
systems and more paiticulariy to cryptographic methods ih^ 
a negotiation to agree on a common price for a given transaction wifliout requiring 
5 citiwr participant to reveal certain information about its bargain 

a suitable agreement can in fact be readied. 
BACKGROUND OF TBE INVENTION 

In the past two decades, many secure transactions have been devised tiiat 
compute quantities from certain hidden data without revealing all such data. For 

10 instance, Yao (in tfw Proceedings of Foundations of Computer Science 

Conference, 1982) presented a solution to tiw so^alled Two-MilUonaire problem 
tiiat involved fliis sqjproach. In tins problem, two millionaires wish to know who 
is richer witiiout revealing tiieir respective momrtarywortti. In Yao's solution, the 
parties engage in cryptographic exchange, each encoding in a special manner tf^ 
15 amoum of money he/she owns. At tfie end of tiie cxdiange, one of flie 

millionaires is in possession of information indicating which of tiie two is die 
richer one and can then, witiiout proof, announce tfie result to flie oUier. 

In another example, CSoldreich, KficaU, and Widgerson presented ttie first 
of a series of cryptographic protocols for secure multi-party computation. This 
20 protocol enabled n parties (whose majority is honest), where party / has a secret 
input ;c„ to evaluate /on their private inputs, witijout revealing tiiese inputs more 
than absolutely necessary. At die simplest level, the parties compute y = 
ftKu...^ without revealing more about tiiex,'s tiiat is implidtiy revealed by the 
valueyitsdf. More sophisticated and precise definitions of tins protocol were 
25 later described, for instance in die work MicaU and Rogaway. 

In tiie past, traditional physicsd proximity has encouraged aeUers and buyers 
to negotiate in good fidtii. Physical proximity creates enough droumstantial 
evidence of an enforceable agreement, and also requires a considerable investment 
of time and effort on both sides, tfius reducing ttie buyer's temptation of 
30 negotiating just for -curiosity- witiiout any serious intentions of buying. Such 
goals, however, are more difficult to achieve where business transactions arc 
carried out more and more at a distance (e.g., over an electronic networic). 
Consider tiie example of purchasing a house over die Internet. Photographic 



wo 97/24833 



PCT/US97/0a286 



infOTination of a piece of property is readily available over the Internet, and digital 
signatures may help in signing a contract. However, in this new setting, it is 
possible for a seller to n^otiate with many potential buym simultaneously and at 
a distance so diat the various buym may not be aware of each other. The seller 

S can then use one buyer's offer for obtaining b^t^ offers from others, even with 
stringoit time constraints. At the same time, the new setting makes it very 
omvenient for uncommitted buyers just to shop around for a sella*s "true" price, 
and then possibly sell this information to oAers. 

There rraiains a need in the art to provide cryi^grai^c protocols that 

10 enable parties to negotiate and omsummate business and oth^ transactions 
electronically. 

BRIEF SUMMARY OF THE INVENTION 

It is the primary object of the present invention to describe an entirely new 
class of electronic cryptographic-based transactions, referred to h^n as "blind 

15 n^otiations." 

A "blind n^otiation" (sometimes referred to as an "ideal negotiation") 
according to the present invention is a new electronic transaction wherdn a 
seller S and a buyer B msh to see whether they can agree on a price for a given 
good or sendee. It is assumed that the seller has a "reservation" prices, SRP, at 

20 vMch she is willing to sell now (not necessarily the minimum of such prices). 

Similarly, the buyer has a reservation price, HRP, at vAadx he is ready to buy now 
(not necessarily the maximum of such price). In a blind negotiation, the current 
reservation price of each parQr is a seoet of that party. 

A blind negotiation is a cryptographic system diat guarantees die following 

25 two properties (which are NOT readfly obtainable even in a physical or iace-to- 
face transaction): 

L Eitforceable Agreement. Both parties readi an agreement on a price 
P (between SRP and BRP) whenever SRP < (or equal to) BRP, or 
dse; 

30 2. Proved Privacy, Eadi party is provided a proof that SRP > BRP 

that does not reveal the other's reservation price. 
In a blind negotiation, if seller and buyer learn that no deal is possible (i.e., that 
SRP > BRP), then th^ may decide to try another round of n^odating. 



-2- 



wo 97/24833 PCT/Uar7/«««6 

presumably after diaiiging their reseivatioii prices, orlliey may decide to quit 
negotiating, in the latter case, the seUcr knows that no one has learned her 
reservation price, and thus that she can partidpalB in fi^ 
"bargaining power" intact. If, instead, a deal is possible, a blind negotiation may 

5 reveal the two reservation prices. Indeed, for instance, assume that the two 

parties agree to "spUt in the middle" when a deal is possible (i.e., they adopt P = 
SFP+BRPA2 as the actual sale price). Then, after reaching agreement on a price 
P by means of a blind negotiation, each party can , knowing his own reservatioo 
price and the average of the two. easUy compute the other' s reservation price. 

10 Indeed, when a bUnd negotiation system realizes that SRP < (or equal to) BRP. 
then the system can just reveal SRP and so that P=SRP+BRP/2 can be 

easily computed. 

It should be noted thai in real-life, blmd negotiations are not easily 
obtainable, in feet, if one of the parties (c.g., the seller) makes an offer to seU at 
15 a given price, then that offer already provides valuable information about SR^^ A 
similar problem exists when the first offer is made by the buyer. As a result, in a 
ical-life negotiation, sellers and buyers are unwilling to make first offers. This, 

however, is not a problem in a blind negotiation system. 

It is thus an object of the present invention to provide cryptographic 
20 techmques and systems for implementing such blind negotiation schemes. 

It is a fiwther more specific object of tiie invention to feciUtate blind 
negotiations using one or more trusted parties who either preferably do not learn 
BRP or SRP or, if they do, they cannot misuse such information. Such trusted 
parties may be actively involved in the negotiation or. alternatively, be required 
25 only when initial exchanges of communications between buyer and seller leaves 
one of the parties with uncertainty about tfje results of the negotiations. 

The constraint that a deal is achievable if SRP < (or equal to) BRP is 

preferable, altiwugh otiier fiinctional relationships between SRP and BRP may be 
implemented in die blind negotiation system. Thus any reference to die preferred 
30 consttaint of SRP < (or equal to) BRP should not be taken to limit the present 

invention. Similarly, the constraint tiiat tiie actual sale price is in-between SRP 
and BRP is merely preferable, but not required dtiier. 



wo 97/24833 



FCT/US97/00286 



Thus, in one embodiment, there is desaibed an decttonic communications 
method between a first party and a second party, with assistance from at least a 
plurality of trustees, enabling an dectronic transaction in which the first party 
having a selling reservaticm price (SRP) and the second par^ having a buying 

S lesovation price (BRP) may be committed to a transaction if a preitetennined 

lelatimiship between SRP and BRP is established, but not othowise. The method 
b^s by having each of the parties tiananit shares of timir respective reserve 
inices to the trustees. These shues are such tfiat less than a given number of them 
does not provide oiough usefiil informatitm for reconstructing the reserve prices 

10 while a suffidently high number of Ihem allows sudi reconstruction. The trustees 
taen take some action to detomine whether dw predetermined rdationship exists 
widiout reconstructing SRP and BRP. If the preddemnned rdationship exists, 
then the trustees provide information that allows a determination of the sale price 
according to a given formula. Otherwise, the trustees detnmine tfiat no deal is 

15 possible. As used herein, "sale" is merdy rqjiesaitalive as the transaction may 
be of any type including, without limitation, a sale, lease, license, financing 
transaction, or odier known or herdnafter created financial commodal or l^al 
instrument. 

In a modifitcation to tiiis embodiment, the actions are taken not only by the 
20 trustees alme, but also in conjunction widi the first party and the second party. 

In an alternate embodiment, the sdler and buyer oommumcate with a single 
trustee, who can <tet»mine whedio- a.deal is possible without learning SRP or 
BRP. In a still further embodiment, the trusted party may be a secure piece of 
hardware diat recdves an encrypted veracm of SRP and an enoypted vonon of 
25 BRP and d^ermines whdher a deal is possible and at what price. 

Yet in anodier embodiment, the blind negotiation is achieved with 
"invisible" trustees. In such a case, the seller and buyer do not collaborate wiUi 
any trustee initially and implement a blind negotiation system if they continue 
collaborating proporly. However, if one of the parties stops collaborating, die 
30 other party can access <me or more trustees vAo are citable of completing the 
intonqiled blind neg(Miati(m. 

Of course, in a blind negotiation according to the invention, ttie parties 
need not agree on a final iwice mody by splitting die difference between their 



wo 97/24833 PCT/US97flI0286 

respective reserve prices. Indeed, in a blind negotiation the two parties inay agree 
on tiie actual sale price by any strata they want. For instance, if a deal occurs 
in the first blind negotiation, then the parties may agree to spUt in the middle, but 
if a deal becomes possible in the next round of blind negotiation, then they may 
5 agreeontheactualsalepriceby means of a formula that fiavors the party who has 

made the biggest "concession" in the second round. Alternatively, they may 
dedde to favor the party who has varied his reservation price by a smaller degree 
in the second round, or by some such other approadi. 
laOEF DESCMPnON OF THE DRAWINGS 
JO For a more complete understanding of the present invention and the 

advantages thereof, reference should now be made to the foUowing Detailed 
Description taken in conjunction witii the drawings in which: 

FIGURE 1 illustrates a pr^eneA embodiment of tiie invention wherein an 
electtonic process having three concq)tual steps (as numbered) is effected by first 
15 and second parties, with flie assistance of a pluraUty of trustees, in order to 
achieve an ideal dectronic n^otiatimi. 

FIGURE 2 illustrates a preferred embodiment of the invention wherein an 
dectronic process having three concqitual steps is effected by first and second 
parties, with the assistance of a trustee comprising secure hardware, in order to 
20 achieve an ideal dectrwiic negotiation. 

FIGURE 3 illustrates an embodiment of the invention wherdn an dectronic 
process is effected by having first and second parties exchange messages to 
attempt to complete an ideal negotiation, and the use of the trusted party to 
complde the action if needed. 
25 FIGURE 4 illustrates a share m^od embodiment of the inventim, 

invoking tiiree numbered steps, wherein sdler and buyer are players who, 
together with at least one other tnjslBe-player(s), take action in determining 
whether a given relationship exists between SRP and BRP in order to effect the 
ideal negotiaticm. 
30 DETAILED DESCRIPTION 

Several different types of blind negotiation systems are described bdow. 
For each one of tiiese systems there is also presented several variations and 
modifications. Such variations and modifications also apply to the other blind 



-5- 



wo 97/24833 



PCT/US97/00286 



negotiation systems and not just the particular schemes with which Aey are 
described. 

Blind Negotiations With Multiple 'nrustees/Flayers 

In a fint raibodiment, an n-party secure computation (e.g., the protocol of 

5 Goldreich, Micali and Widgerson, or that of Beo-Or, Goldwasser and Widgersm, 
or that of Rabin and Bm-Qr, or that of Chaum, Cr^)eau and Damgard) or a 
"suitable" simplification thoeof is used to facilitate a blind negotiation aiq)Ucation« 

By way of brief backgnmnd, it is known in the art that secure protocols 
enable n players (a suitable majority of which is h(N^) to evaluate a given 

10 function/on thdr private inputs, without revealing these inputs more than 
absolutely necessary. At the simplest level, the parties compute y ^ f^j,. . . 
without revealing more about the Jt/s that is implicitly revealed by the value y 
itself. Of course, if each player keeps his own input for himself, the privacy of 
the inputs x. is pofectly maintained, but no joint computation of /can occur. Of 

IS course too, if a player reveals his input to some otiier player, this may facilitirte 
some joint computation, but it may not keep the playo-^s input as secret as it 
should be. Radier, in most secure computation protocols, a play^ I takes his own 
secret input Xj and constructs a secret random polynomial P(x) —modulo a prime p, 
p > n, and of d^ree /, 1 <t<n -aich that P(0) = x^, his own input. (In other 

20 woids, the player chooses the last coefficient of the polynomial to be his own 
iiqput, and all mh^ oo^dents at random. If the input of a player is a binary 
string of at most, say, k bits, tiien /i can be chosen not cmly > n, but also having 
k + I bits.) 

Hioi, the player privately gives player a the value P(a), player b the value 
25 P(b) and so on. Thus, no single play^ (oth^ tiian 2), nor any collection of 

players with less tium t membm, may know die polynomial P0c), nor the inimt o^. 

However, collectively, the players (incteed any r+ 1 of the players) know P0c). 

Indeed a /-degree polynomial may be easily <4)tained by intopolation from its 

value at t+J different points. Thus, sufficienfly many players can easily 
30 reconstruct P(x), and tiius P(0) = jc^ while suffidentiy fewer players cannot even 

gu^ x; better tiian at random. 

Each player a thus (I) possesses a share, P(a), of any other player*s input, 

and (2) if the majority of the players want, the input of every player can be 



-6- 



wo 97/24833 



PCTAJS97/00286 



revealed, but (3) without the cooperation of the majority of the players, each input 
remains unpredictable. After sharing each input among all players in such a 
fashion, a typical secure computation protocol then proceeds to evaluate the given 
function on the player's inputs, but working on their shares, rather than on the 
5 inputs directty. For instance, if the function dictates that the inputs JCi of player i, 
encoded by a polynomial P Ci-e. , P(0) = x,). should be added (mod to the input 
Xi of player;, encoded by a polynomial Q (i.e., 0(0) = JCy), ^ each phiyer 
whose share of Jt; is = P(k) and whose share of is a = QQ), adds !» and A 
mod p, thereby computing (P+Q)(k), that is, a share of (Xj+Xj mod p), the sum of 

10 die two inputs mod p. 

As for anodier example, if die function dictates tiiat the input jc, of player i 
(encoded by a polynomial P) should be multipfied modulo /? with die input Xj of 
player/ (encoded by polynomial 0, flien each pbyer k, whose share of x, is = 
P(k) and whose share of x, is/* « Q0), muhiplies it and A modulo p. thereby 

15 computing (PQ)<k), that is, a share of x^^ (mod p), tt«5 product of die two inputs 
modulo p.' 

Though not all operations <m tiie inputs translate into operations on die 
shares in a way tfiat is as simple as in die case of die "addition mod p* operation 
or of a (single) multipUcation modulo p, at die end of die secure computation die 

20 players have each his own share o{y=f(x,....X), that is, each player has die 

value F(k), where F is a f-degi«e polynomial such tiiat F(0) = y. Thus all players 
may release dieir shares, so as to aUow die reconstruction of F by polynomial 
interpolation, and dius the reconstruction of y without releasi!^ any unwanted 
information about die inputs x,'s. This reconstruction also works in a simple way 

25 ^rwidedfliatdiere are suffideatly many honest playws) even though some 

players may be bad and release incorrect shares. This is just dw basic background 



» Note tiiat die product polynomial PQ has degree 2f, and tiius one needs 2t 
points for interpolating it. Therefore, tiierc must by sufRciaitiy many honest 
players. If one had to execute a chain of sevend multiplications ~ e.g., 
((P+WQQ+WP-^y ^ *e above mediod, dien die number of honest 
players needed would become totally impractical. Thus, different (degree- 
reduction) medwds have been devised in die Utraaturc, The above metiiod, 
however is quite practical if one only needs to compute a single product mod p. 



wo 97/24833 



PCT/US97/0a286 



on multi-party secure computatims. Hie reader is directed to the art references 
for further d^ls. 

Mtfa this background, it can now be described how one such secure 
computation piotoool is used to facilitate a blind negotiation. 

S A Fi^^ Share-Method 

As noted above, as indicated in FIGURE 1, a secure-computaticm protocol 
assumes that there are n parties, the majority of which are iKmest. In a blind 
n^otiation there are two parties, the sdler and the buyer. It cannot be assumed 
that both parties are honest, however. Thus, in this embodimmt sellor and buyer 

10 coopesale with one or more trustees. These are additional parties that are assumed 
to be trustworthy On particular, trusted to follow the prescribed instructions of a 
secure computation i»otocol). By means of a system such as described below, the 
trustees onable sdler and buyer to complete ttieir n^otiaticm in a blind way. It is 
desired, howeva, that the trustees shcndd not recdve much informaticHi, nor 

IS should they be able to misuse whatever information they do receive. 

The following blind n^otiation system further makes use of digUat 
signatures. In a digital signature sdieme, eadi party X has a secret signing key Sj, 
and a matching public verification key P,. Party X may obtain its digital signature 
of a message (string) m, SIGJm)^ by running an algorithm SIG on inputs 5, and m 

20 (thus, SIG,(iii) SIG(S.,w)). The signature of party X on a message m is verified 
by running a verifying algorithm VER on the signature and X's public key. 

The following now describes how to use a multi-party secure computation 
pnHocols for buUding a blind ne^otiaticm systems with trustees and digital 
signatures. For instance, a secure computation with n^3 exists by asking one 

25 trustee to join the computation. Thus, if either the seller or the buyer is honest, 
since a trustee is presumably sdected with trustworthiness as a proequisite, an 
honest majority ^dsts. If desired, larger values of n may be chosen in a secure 
computation protocol, with the cooperation of more trustees. This way, even if 
(Hie or more trustees turn out to be malicious, the majority of all players are 

30 honest 

Assume now tfiat there are suffidoitly many trustees, so that there is a 
total number of n>2 players, a suitable majority of which are honest Without 
loss of generality, the sdler is player 1, the buyer player 2, and the trustees 



-8- 



wo 97/24833 



PCT/US97/Q0286 



players 3 n. Then, n players are used to perform a particular n-party secure 

compulation, for an espedaHy selected function/, and for especially selected 
inputs. 

Let (S„SRP) be the input of player I, (5^iWfO be the input of player 2 and 
5 « the input for any other itoyer,M*eie SI is the secret signing key of the seller, 
SRP the reserve price of the seller, S2 the secret signing key of the buyer, BRP 
the reserve price of the buyer, and E; the empty string. Further, let/be the 
function such iiaif((St,SRP), (S2,BRP), £,...,€) = 

(SlG(Su(T,SRP+mtP/2)), SIG(Si,Cr.SRP+BRP/2))) if 

10 SRPK.BRP. 

and "NO DEAL" otherwise. Here T is any string describing the transaction in any 

sufficient way. For instance, T may consist of identifying the sdler and the 
buyer, the negotiated commodity, and/or additional data, such as time data, or an 
indication of the trustees. 

15 -nius, fimction /outputs a certified commitment for the seller and buyer to 

trade, at a meet-in-the-middlc price, whenever the deal is possible, i.c., whenever 
SRP< (or equal to) BRP. (Of course, within/, one could replace SRP+BRP/2 
with any strategy, g(SRP,BRP), to determine the actual trade price.) 
Therefore, the function /only depends on the inputs of sdler and buyer, and not 

20 on the inputs of the trustees (these could be any value rather than e, because/ may 

i^mre diem anyway). 

The above is a "blmd negotiation" system because both seller and buyer 
end up with a signed contract with the right price whencvw a deal is possible 
between them; otherwise they end up with a proof tiiat no deal is possible, but 
25 which does not reveal what the two resemtion prices may be. Incaseadeal 

were possible, preferably the contract is signed by both of them digitaUy. Indeed, 
in this case the output of the secure computation is the signatoire of the buyer and 
the seUer that the transaction T has resulted in a sale at a given Price. Thus, the 
above system satisfies the Enforceable Agreement property. Indeed, whenever 
30 SRP is greater to or equal to BRP, seller and buyer end up with a binding contract 
an agreed price determined by a given formula. 

In case a deal were not possible, tiien the result of the secure computation 
is NO DEAL, and diis is a proof that SRP > BRP (because of die way the 



wo 97/24833 



PCT/US97/00286 



fiincdcm /is defined, because an honest msyority exists among the selected players 
so that /is correctly computed, and because the result of the computation has been 
pioduoed by the trustees and can be thus ^'witnessed by them" if necessary). An 
aitamative proof that no deal is possible can be obtained by modifying the function 
5 /so that SIG,(T,NO DEAL) and SIG^fT^NO DEAL) is output instead of just NO 
DEAL (where the subscript S stands for sdler and B for buy^). Hther way, the 
reconstruction of NO DEAL does not reveal what the specific values of SRP and 
BRP may be, save for the fact that SRP>BRP. Indeed, in a secure computation 
of a function, only the result of the function evaluation is made known, but not the 

10 functioi's inputs, llius, if a given conqiutation of/results in ou^tting NO 

DEAL, then this output reveals that SRP is greater ttian BRP but not the spedfic 
values thereof. Thus, any other information about SRP, BRP and Ae sdler*s and 
buyer's secret signing key is kept totally secret. The above system thus also 
satisfies the Proved Privacy prop&ty. 

IS A Second Share-Method 

The above method, however, may be enhanced by having seller's and 
buyer's signatures computed outside the share computation |diase. Before 
engaging in any secure computation, buyer and seller sign (preferably digitally) an 
initial agreement of the kind "in this transaction 7, with trustees 7|,72,..., seller S 

20 and buyer B agree to trade commodity C at the average of thdr reserve prices, if 
their secure computation of function /is YES." Then, seller, buyer and trustees 

securely evaluate /on inputs (SRP,BRP,€ e), making sure that this computaticm 

is bound to identifier 7. Here, /is the function such that /f5JtP»iri?P,6M..>€j= 
YES if SRP<fiRP, and NO otfierwise. Thus, if the result is YES, the playos 

25 retrieve SRP and BRP from their shares (altanatively,/may output (SRP,BRP) 
TBither than YES), and sellff and buy^ can then easily both sign (T,SRP+BRP/2). 
If one of them re&ises to do so despite die result of the computation, thai the 
honest trustees may sign in his or her place, and the signatures of a suitable 
majority of the trustees may be considered equally binding. If the share 

30 computaticm phase indicates that no deal is possible, then seller and buyer wiU 
each sign (T.NO)^ or the trustees will do it cm their behalf. (Notice that it is not 
important who signs an initial agreement first. Indeed, only after both seller and 
buyer have signed it will a secure computation of/ follow or be completed.) 



•10- 



W097/Z4833 FCT/US97/IHB86 

Of course, inany variants of this basic method can be For 
instance, diffcmit types of initial agreements niay be stipulated. Also, in any of 
the blind negotiation systems, seller and buyer may not participate in as players in 
the secure computation phase. The players of this phase can just be trustees (so 

5 that it is easier to have a suitable honest majority). Tlius, each of seller or buyer 
may just give each trustee his or her proper share of the input, and then the entire 
computation will be carried over the shares by the trustees, until the final result is 
produced and handed out to both seller and buyer. Also, the trustees (or seUer 
and buy«) may just sign NO or nothing at aU, rather than signing rT,iVa). Asftw 

10 r, it is preferable that it provides a unique identifier of the current negotiation. 

For instance, T may indude some of S, B, the current dale and time, a description 
of the commodity on sale, as well as encryptions of SRP or BRP, or an indication 
of the trustees, or a random identifier. 

A TfrtTtf S^a'e-Method 

15 The first aliemative embodiment, wherein digital sigoamres are carried out 

outside the share computation phase, may also be enhanced. Indeed, a typical 
secure computation protocol succeeds in securely evahiating a given function by 
means of securely computing some primitive functions, for instance, modular 
addition and modular multiplication. 

20 Accordingly, rather than direcdy applying some ready-made secure 

computation protocols in the secure computation phase of the inventive blind 
negotiation protocols, it may preferable to write a new orf toe protocol for this 
purpose that uses the above primitives in an elementaiy way. One such protocol is 
now described. 

25 The new protocol uses as a primitive the share conqmtation of (ft-b)r mod 

where fl, and rare secret values in the multipUcative group mod and/? is 
preferably a prime (in which case a,*, and rare between land p-1). Inthis 
application, a and * may be spedfic values (e.g., the private inputs of specific 
players). whUe r is a random value, possibly chosen during the compulation itsdf, 

30 and it may not belong to any particular player. For instance, r may be chosen 



-11- 



wo 97/24833 



PCT/US97/00286 



as the sum mod p of several random seoret values r/s belonging to different 
players.^ 

One advantage of the (a-b)r primitive is that its share computation is 
readily implemented. Indeed, the share computation of a single 

5 addition/subtraction and a single multiplication modulo p of secret values (such as 
a, ^ and r) is particularly easy to obtain. 

A second advantage of the (a-b)r primitive is that it can be used to test 
wh^er two given secret inputs a and b are equal without releasing any additicmal 
information. In £EK:t, if a^b^ then (ab)r^O no matter what the actual value of a, 

10 b and r may be. Alteniattvdy, if Cif^b, (a4>) is a fixed non-zero nunib^. Thus, 
multiplying modulo p this fixed numbor by a number r between 1 and yields a 
numbCT modulo p difiinent from zero. Moreover, because r is random, this 
product modulo is a random number b^een 1 and p-l^ and thus cannot b^y 
what tte precise values are of a and b. 

IS These advantages make the (a-b)r primitive especially suitable for 

constructing a practical and gra^ type of blind negotiation. In particular, 
assume that the seller's and buyer's resCTvc prices are in the interval [M.N]. That 
is, M and A^are, res5)ectively, agreed (or obvious) lower- and upper-bounds to 
both SRP and BKP in some given currency. That is, each value between Af and 

20 is interpreted as a possible price in dollars, or tms of dollars, or thousands of 
dollars. (Such M and N can be eaaly made part of the descriptkm, 7, of a given 
negotiatim.) 

In a particular example, the seller is a car dealer. Buya and seller are 
"blindly** negotiating over a new conqnct car (of a given brand, type, and color) 
25 ovet die Internet. Although deal^ should wdcome offers from customos outside 
their own trade area, traditionally they do not like negotiations at a distance 
because they reveal thdr reserve prices to someone who may not be serious about 
any offer discussed (and who may just live a few blocks away). In such a setting, 



^ If r is chosen this way, while each r, may be between 1 and p-1, thdr sum 
30 mod p may be 0. Howevw, if p is suitably laige (e.g., SO- or 100-bit long) the 
prd)ability that the resulting r is 0 when at least one r, is seaetly and randomly 
chosen, is quite negligible. Thus, from a practical point of view r can be chosen 
in this matter if desired. 



-12- 



W097/24S33 



PCTAJS97/Q0286 



if the players choose thousands of ddlars as their cunency, they may set Af = 4 
and = 40. (That is, if it is assumed that the car is going to be sold the price 
will be between $4,000 and $40,000). Altemativdy, they may choose $500 or 
$250 as their basic cunency, in which case they may set, respectively, A# « 8 and 

5 = 80, or Ai = 16 ani N - l€0. 

For each price / between M and N, the seller chooses a value S, as follows. 
If i<SRP, then the sdler chooses S, at random between 1 and p-l (each sudi 
random value is chosen independently from all other such values); else, she sets 
5,=0. Crtius, Si=0 only if price i is acceptable to her.) Symmetrically, for each 

10 isfi^t *e buyw sets fl, =0, and, for each i>BRP, he chooses B, at random 
between 1 and J>-1. (Tarn, B, =0 only if price i is acceptable to him). Then, in 
the presence of trustees a secure computation of the new primitive is executed for 
each I = IM,NI. That is, fi» each i = IM,N} the value (SrB^R, is computed 
(witfiout revealing any additiraial information about Sj and Bj), «*ae each R, is 

15 indq>endaitly and randomly selected between 1 and ;^1. lfm» of these 
computations returns a 0, then the deal is possible and agreement if forced. 
However, if no 0 is obtained, then no agreement is possible and seller and buyer 
may decide to negotiate again or quit. (Preferably, they had signed an initial 
agreement prior to executing this procedure indicating their intentions, cunency, 

20 names, time, etc., and what happens in case of a positive outcome, i.e., in case 
for some price I the computation of (SrBJR, yields zero. This initial agreement 
can be {Moduced in a standardized manner so as to be more omvenient and quite 
compact) 

How this sdieme works can now be eiqilained. Assume first that 
25 SRP^fiRP. Then, secure computation of (SrBJRt is analyzed in three cases: (1) 
when i<SRP<BRP, (2) when SRP<.i.^^, and (3) when SRP^BW»<i. In 
Case 1, the secure computation of (SrBJRi wiU return a non-zeio random number. 
Indeed, for each such value of i, B,=0, thus (SrB^R, equals just the product mod p 
of S, and Rf. Since each of these numbers is different than 0, so will be thdr 
30 product mod p. (Moreover, this product will be a random number between 1 and 
P-l because R, is random.) In Case 2, S,=B,-0. Thus (SrB^R,^0 for any 
possible value of R,. In Case 3, Hius, the secure computation returns the 
pioduct mod /> of B, and R,. Since each of these values is different than 0, so is 



wo 97/24833 



pcr/us97yoa286 



tteir pioduct mod p. (Moreover thdr pnxiuct will be a random value between 1 

and p-l because so is J^.)- 

Assume now ttiat BRP <SRP. Again, there are three cases to analyze in 

the secure computation of (SrSJH^: (1) i<BRP<SRP, (2) BRP:^^JSRP, and (3) 
S BRP<JSRP<i. In all three cases, however, what is r^umed is a random numbCT 

between 1 and p-l, independent ofyAuu specific values SRP and BRP may have. 

Thus, such a result, \^ile proving that no deal is possible (i.e., that SRP>BRF), 

does not reveal any odier detail about the spedfic values of SRP and BRP. 

Thereftire, the new primitive shows only the prices i for which both the . 
10 seller and buyer entered 0 (i«e., all and only those prices at which th^ are both 

willing to trade), and dius a sale is possible. Thus, if even a single 0 occurs as 

the result of the share computation rdative to some price i, thanks to their initial 

agreraient, sdlor and huyet end up with an enforceable agreement to trade at a 

givra price P. 

IS There are several ways to compute price p. For instance if min is the 

minimum value of i for wiiich 0 was returned and max the maximum value of i for 
which a 0 was returned, the initial agreement and the result of the secure 
computation (as property witnessed or signed by a suitable number of the players) 
may be tiken to cmstitute a signed contract to trade the givm commodity at price 

20 min + max/2. 

Notice that eitho: the seller or the bi^ may enter 0 for some values of i 
without ratering 0 finmi that point on ^.e., for all values higher than i in the 
sdler's case, and for all values lower than i in the buyer*s case).^ This may 
indicate that the seller (buyer) is willing to sell (buy) at certam prices only, and 

25 not, for whatev^ reason, at all prices higjhier (lesser) flian a given one. The 
system may recognize this bdiavior as legitimate (e.g., the final price may be 
chosra to coincide witii a value i, min<J<max, propetly selected among those for 
which 0 was returned -e.g., i-min, or i^max, or, preferably as equidistant as 
possible from min and max, with a way to break ties). If it is desired to 

30 disinoentivize this behavior, however, whenever two or more O's are returned but 



* For instance, the seller may just enter 0 for the single value of /, strictiy 
less than N and strictly greater than M. 



-14- 



wo 97/24833 



PCT/US97/00286 



the tetumcd O's do not constitute a contiguous sub-segment of [M.N], aU values S, 
and B, relative to any position between the first 0 and the last 0 are recovered 
(eg., from the shares in possession of suffidenily nwrny trustees for secure 
computation puiposes), and if the buyer has put 0 consistently in these positions, 
5 then some proper action may be taken. Fdr instance, the seller is obliged to scU at 
a punishingly chea?) price (and a punishingly high price for the buyer). If both the 
sdler and buyer have not put their own 0*s in a consistent way, then some proper 

action may be taken. For instance, the trade price will be decided in some other 
way, or both will be fined. 

10 Although not meant to be Umiting, many of the above computations can be 

effected in secure haidware by persons using such hardware or other known 
machines including computers. In addition, although the various methods 
described are conveniendy implemented in a general purpose computer selectively 
activated or reconfigured by software, one of ordinary skill in the art would also 

15 leoogniathatallmetiiodsof the present invention may be carried out in 

hardware, in sofb»are. or in more specialized apparatus constructed to peito 

lequiied metiiod itt^. 

<^|^s.m-Methods with PlaVCTS 

In a modification of tiw above embodiment, any of our share- 

20 methods for blind negotiations can be imptenwnted so ttiat 

computing actions are taken by tiw trustee togeUier witii players one and two. 
This yields a share-based blind negotiation system witii a plurality of players, 
where a player may be tiie first party, a second party or a trustee. In such 
modifications, one of tfie two parties may give a share of his reservation price to 

25 the other paity. Of course, the two parties have enough information to reconstruct 

bod) their own reservation prices but, like in die above shaie-meUiod, any 
suitably-smaU subset that does not include both parties does not possess enough 

information to construct tiie reservation price of die (missing) party. 

Singte-Trostee BSnd-Negotiatioii Systems 
30 It may be preferred ttiat a blind negotiation system use only a single trustee 

in tiiat it be fiirther simpKfied. One way of achieving tiiis would be to have die 
seUer tell the trustee her own secret value SRP, and have die buyer teU die trustee 
his own secret BRP, so diat die trustee can announce whedier a deal is posable. 



-15- 



wo 97/24833 



PCT/US97/00286 



and at \AiBt price, without revealing additional information about SRP and BRP. 
The trustee, however, then learns both SRP and BRP. Even if he may be trusted 
to keq) the recdved SRP and BRP cmfidmtial, he will nonethdess have learned 
these values, and this may not be acceptable/ 

5 It is thoefore preferred to implement a blind-negotiation system with just 

one trustee possessing the following attractive prop^es: (1) seller and buyer 
perform their own computations and then they transmit to the trustee some proper 
piece of information, which the trustee then further pnx:esses to conclude the 
negotiation; and (2) the trustee does not learn any thing about SRP and BRP 

10 (except for learning whetha a deal has occurred). Thus, such a system has an 

elementary and convenient intraaction among all parties, and yet does not give the 
trustee the values of SRP and BRP. 

To illustrate tfiis system, it is useful to provide a brief baclqground about 
the known cryptographic notion of a tra^Mloor pmnutation. This is a function that 

IS is computationally easy to evaluate but ov^whdmingly hard to invert unless a 
spedal secret is known about the functim. Thus, any one can, given x in the 
range of/, compute f(x). However, cmly he who knows/s secret can feasibly 
retrieve x fromf(x). 

The best known (and essmtially the only known) examples of trap-door 

20 permutations are based on factoring and modular exponentiation. For instance, 
consider the RSA ftmction. Let n be the produa of two large (e.g., SOO-bits), 
secret, and random primes p and q, n ^ pq. Because sdectiing such primes p and 
g is easy, and so is multiplying them, one can easily construct such an n. 
However, since no &st algorithm for facbmng is known, finding the prime 

25 foctorization of such an n will be hard for eveiycme else. Thus, the prime 

factorization of n is a secret relative to n. Let us now see how this secret can be 
used to inv^ easily the RSA function. 



^ For instance, assume tiiat, afttf trusting the trustee to tfiis extreme extent, it 
turned out that no deal was possible between seller and buyer because SRP> BRP. 
30 Then tfie seller should be able to negotiate witii otiiers tiie sale of the same 

commodity, keqnng intact her bargaining power. However, the trustee himsdf 
would not be able to negotiate blindly with the sellex! 



-16- 



wo 97/24833 FCT/US97/Wn86 

The RSA is a permutation over Z*,, the multipUcative. group mod n 
obtained as foUows. Let c (for eiiponent) be relativdy prime with (^ijr«^7>, an^ 
seif(x)^jrmo6n. Then, is feasibly evaluated. Indeed, if x, the modulus, 
and the exponent aU are at most *-bit long (eg., l,0(XH)it long), then a modular 

5 exponentiation can be computed (by the repeated squaring method) with roughly 
1 ,500 modular multiplications without any need to know n's factorization. 
Moreover, such a f(x) is a permutation. Indeed, it can be inverted as follows: let 
J be the multipUcative inverse of e mod (p-i)(4-i); that is, ed mod (p-l)iq-l)=L 
Ttwn, (always operating mod «, and thus mod (p-l)(q-l) at the exponent) we have 

10 (X'f = JC, ftat is, the function X* mod n is the invose RSA function (with 

exponent c), j;* mod n * 

This proof not only shows that X* mod » is an invertible function 

(independently of how much time inverting it may take), but also that it is a trap- 
door function. Indeed, he who knows p and ^, and thus (p-lMq-l), can easily 
15 compute d and thus easily invert the RSA fimctiffla.' 

The inventive system makes use of sudi a trap-door function /(W=JC mod 
n. While the buyar knows n and « (e.g., because the 

sdler gives them to him, or because they are publicly known), preferably only the 
sdler knows n*s &ctorization, (p,q), or, 

20 equivalentiy, d, the multiplicative inverse of e mod ^l)(q-l). 

The system also makes use of preferably a one-way (possibly collision-fiee 
hashing) function H. Thus, while it is easy, given x, to compute y^H(x), it is 
piacticaUy impossible, given y, to compute an X such that =y. (In this 
setting it is not necessary that H be a trapHloor permutation. Indeed,Uis 

25 preferable that is not trap-door, and that it is a totaUydiffsemfimctiona^ 

together, and not a RSA-like). 

Let now Af and N, respectively, be lower- and upper-bounds 



' The RSA function can be defined more generaUy - e.g., for any composite 
number n and any exponent e relatively prime with Hnh where * is Euler's 
totient function. This more general functions may too be used within our 
inventive blind-negotiation system. Similarly, one could use Rabin-like trapnioor 
fonctions, or other fimcticm, if so wanted. 

-17- 



wo 97/24833 



PCT/US97/0a286 



for the reserve prices of sellar and buyer, and let i be the actual SRP and/ the 
actual BRP (thus, M <i, j <. N). The new blind«negotiation system is preferably 
implemoited by means of three stq>s: a buyo-^s stqp, a seller's stq>, and a 
trustee's step. Each transmission in the system preferably occurs in a private 

S manMr; for instance by encrypting it with a key shared with or owned by the 
recipient to ensure that no clear text message falls in tiie wrong hands. 

In the buyer's step, the buyer B selects, prefmbly at random, secret x mod 
It. Hien, he evaluates /, on input x, N-M times, so as to obtain the following 
sequence of values (presented in reverse order): 

10 =r"W,Z, (X) 2U=/W=x 

(I.e., Z; is the first /-inverse of Z«, ^ is the secmd/invose of Z^, and so on*) 
Because his BRP is the buyor then computes Jff(2^, and sends this value to the 
trustee, preferably (digitally) signed together with additional information.^ To the 
seller, the buyer instead gives Z«, preferably signed together with additional 

IS information. 

In the seller's sicp, the scIIct givCT her knowledge of/s secret information 
- e.g. , n's factorization) may easily compute all the first N-M inv^^ses of 
However, because her SRP is f , she evaluates the one-way function Jff on the first i 
such invCTses, and thm evaluates H on anothm* N-M-i values Vj^, each preferably 

20 distinct from any of the first iV-M/inverses of ^. Thus, she gives the trustee the 
resulting sequence of N-M values, preferably in random order: 
H(Z,hH(Z2},...,H(Z^.H(VJ H(V^J.'^ 

In the trustee step, die trustee preferably mates sure (e.g., by using tiie 
additional information), that the seller's list and the buyer's value relate to the 



25 ^ Such additional information preferably describes the transaction and is taken 

to be a proof of the buyer's willingness of entering it. For instance, the additional 
information may include any of the following data: seller's information, buyer's 
information, transaction information, good-<m-sale information, time information, 
Z^, any other information, or no information. 

30 ^ Tlie seUer may just compute the first / inveiMS of AATO choose the Vk 

VALUES at random, if the probability that one of these values EQUALS ONE 
OF THE FIRST INVERSES OF Z^ IS SMALL. Computing aU such 
inverses is desirable, as will be seen. 



•18- 



wo 97/24833 



same negotiation. The tnistee checks whether one of the N-M values received 
from the seller equals the value received from the buyer. If so, it announces that 
a deal is possible; otherwise, it announces that no deal is possible. This 
announcement is piefisrably signed by the trustee together with additional 
5 inftmnation, and sent to both seUer and buyer. In case the deal is possible, the 
dealer preferably includes in his announcement the value of the buyer, H(^, 
together with the buyer's signature of it, and the sdler*s list, together with the 

seller's agnature of it. 

This scheme works for the following reasons. First, it should be noticed 

10 that the trustee does not team J (i.e., the BRP) from the infomialion it receives 

from the buyer. Indeed, although given Z„ (i.e., within the additional information) 
the trustee does not know how to invert the RSA fimction/, and thus does not 
know any of the N-M inverses of Z,. Of course, the trustee could, given 4, easUy 
verify that this is the /th inverse of Indeed, the trustee could evaluate/on 

15 iiqHit^by the buyer, but H(^) should, from a practical point of view, be 

equivatent to having nothing at aU about ^. Thus, the trustee has a very hard time 
determining j may be from the buytf 's information. 

Similarly, the trustee cannot easily leam the value of i from the information 
obtained from the seUer. Indeed, the trustee recdves from the seller N-M items 

20 altogether; i items obtained by evaluating H at inputs that are the first /-inverses of 
Z, and N-M items obtained by evaluating H at inputs flat arc not such /-inverses. 
However, the one-way function H makes it difficult for the trustee to decide 
whether an individual item is of die first of second type; thus, tiie trustee cannot 
count how many type-1 items are tfiere. Indeed, H is chosen so that tiie trustee 

25 cannot practically distinguish between a value obtained by evaluating H at a/- 
inverse, and one obtained by evaluating H at some different input.* 



« Ratiier than obtaining type-2 values by evaluating H at inputs K ti»at are not 
the first /-inverses of Z„, the seller could choose her type-2 values in some otiier 
manner (e.g., by choosing N-M-i values l/» - of ti>e proper lengtii - at random, 
30 becausetiieprobability ttuittiiese chose values happen to be of type 1 IS 

negligible), provided tiiat such values are not easUy distinguishable from type-1 
values. 



-19- 



wo 97/24833 



PCT/US97/00286 



FinaUy, it ^idd be iQypiedaled that, a 
i > j\ the trustee may not piactically ieaxn anything more about i and / from 
taking into conadoaticm both the information received from the isdler and that 
received from the buyer. 
5 Indeed, assume first that there is no possible deal (i.e., that / > y). Then, 

the <mly additional information that the trustee gets from the sell^ *s list and 
buyo-'s value taken together is that the buyer*s value does not occur in the seller's 
list. But this does not help the trustee retrieve the precise values of i and / at all. 

Assume now that a deal is possible (i.e., that i ^ /)« Then, the trustee 
10 sees that the buyer's value, H(Zf), is an item in that seller's list, and thoefore 
learns that H(Z^ has been obtained by evaluating A at one of the first - /If /- 
inverses of Howev^, if the sdler's list is presented in random order, the 
trustee still cannot figure out what the value of j may be, nor tiie value of /. 

In sum, therefore, the angle trustee, dcnng only local and trivial 
IS computaticm, learns wh^er a deal is possible, but never the values of the reserve 



Notice also, that one can, within the scope of the invention, use functions 
H that are not one-way, but more care is needed. For instance, one can choose 
H(x) to consist of the last • say - 50 bits of x. Now 50 bits of may not be 
enough for reconstructing i^. This is not so because taking the last 50 bits is a 

20 one-way function, but because SO bits of crisply-clear information about x are just 
ttx> few to reccmstrua a secret long value x, even if f(Zi), whm/is a trap-door or 
one-way function, is known, Also, the last SO-bits of the RSA inverses (as 
evidenced by the results of Alexi et al.) may be unpredictable and thus quite 
random looking. Thus, it would still be hard to distinguish between the last 50 

25 bits of the RSA inverses (the type-l values) and SO-bit random values (the type-2 
values). However, one has to be careful in constructing die blind-negotiation 
system so that the buyer cannot misuse the system to invert the RSA. Indeed, it is 
also shown by Goldwasser et al. and Alexi et al. that given an oracle for guesang 
the last 50 bits of sevml RSA inverses, one may discover the full RSA invose on 

30 an input of interest. Now, while in gen^ no such oracle is available, the sell^ 
hosdf may, through the mechanism of the blind-n^otiation system, provide such 
an oracle. Indeed, she is called by the systm to [mivide die last SO bits of several 
RSA invo^. However, if is a prop^ one-way function, such cryptanalitic 
attacks will become essentially impossible, and the seller may release H evaluated 

35 at any RSA inverse without fear. 

-20- 



wo 97/24833 PCTAJS97/W>2«6 

prices.' The trustee, however, enables the seller and buyer to learn each other's 
reserve prices - so that they can both, for instance, compute i +J/2. 

Consider first the seller's situation. Indeed, if the trustee gives the seller 
the buyer's value W^. she easily leamsy, because she knows the value of every 

5 single /-inverse of Z„ and thus can check which inverse, after evaluating H on it, 
yields the buyer's value. Further, if the buyer's value is given by the trustee to 
the sdier with the buyer's signature, then the seller receives a proof of what; is, 
and thus a proof that he was willing to buy at price j. Similariy, by receiving the 
seller-signed setter's list, the buyer receives a proof that she was willing to sell at 

10 price/. (In ftct, the buyer knows at least the firstyZ-inverses of Z« and thus 

(becausej>i when the deal is possible), he can check and prove that the sdler's 
list contains fte first /-inverses of Z..). These proofs, preferably together with 
odua- evidence (e.g., a proper initial agreement between sdler and buyer ~ 
preferably including Z, together and with other additional information), can be 

15 used to prove in court that f +y/2 is the agioedtnKte price resulting fi»m the 

n^otiation. 

The above blind-negotiation system is quite <»nvenient from an interaction 
point of view (because the parties perform mostiy local computations and do not 
talk back and forth too much). It is also computationaUy attractive. 

20 FMIffling 'Time Analysis 

TTie above blind-negotiation system requires little computation because the 
trustee cssentiaUy just checks equaUty (between the buyer's value and the items of 
the sdler's lisl). The buyer at most evaluates the trap^Ioor function/and the one- 
way fimction H in the forward direction - A/ times. This is particularly easy to 

25 do. First, iff is preferably a non-number theoretic function and plenty of very fest 



' In case a deal is possible, however, and fte actual trade price is chosen to 
be i + //2, protecting the secrecy of i and; from the trustee may be deemed to be 
less crucial. (Indeed, in this case each of the seller and buyer may, from 
knowledge of his own reserve price and knowledge of the average of their reserve 
prices learn readily the oAer's reserve price.) If this is case, the seUer may 
actually send her list to the trustee in order rather than randomly permuted, Tlus 
still does not enable the trustee to learn anything additional if no deal is possible, 
but lets the trustee learn the value of; if Ae deal is possible. He can m fiict easdy 
see that the buyer's value is the/th item in die seller's list 



-21- 



wo 97/24833 



PCT/US97/mi286 



non-number theoxetic functions are known. Second, the expcment e of the RSA 
function/can be chosen quite small (e.g., equal to 3, if 3 is relatively prime with 
p - 1 and q - I *and indeed, p and ^ can be chosen so that this is the case). Thus, 
rather than requiring a full modular exponentiation, (and thus l.Sk modular 
5 multiplicalims when ^ and jc are k-bit long), an RSA evaluation (e.gM a 
compulation of f(x) — :f mod n) may require as little as two modular 
multiplications, aiid tiie buyer makes at most N-M such evaluati<ms, and thus at 
most 2(^ - ti^ modular muitiplicaticms overall. Moreover, the sdler appears 
instead to p^fbrm - JIf /^versions, and HxmN-M modular exponentiations, 

10 each requiring roughly LSk modular multiplicati<ms. (Indeed, each such inversion 
consists of a computation of the type jcf' mod n, where is the multiplicative 
inverse of e mod (p-1) (q-1); thus, even if e is chosen to be quite short, d may not 
be short at all.) However, the seller's computation of all required inverses may be 
accomplished by means of just one modular exponentiation and N - M /evaluations 

IS (each involving two modular multiplications if e » 3). Indeed, computing Z/^ 
requires that the sdler inverts/, on input Z^N - M times. But this means to 
compute (2fofMM ^ ^ because in such a computation the 

exponents woric modulo (p - 1) (9 - 1), in effect the sella must compute je'' mod 
n, wha:e d' - d(N-M) mod (p - 1) (9 - 1). Thus the sdler may compute d' 

20 (which is thus less than (p - 1) (9 - l)t and Oius less than n, and thus at most Jk-bit 
long) with a single modular multiplication, and then jc'' mod n with just a single 
modular «ponentiation. After she has computed the sdler computes all 
other // - Af - 1 /inverses of Z^ by simply evaluating/, on Z^, N - M times, and 
each evaluation requires at most two modular muitiplicaticms if e is chosen equal 

25 to3. 

It should be noticed also that the value N - M may be quite small. Indeed, 
in the above blind-n^otiations for sale of an automobile, the oivisaged values of 
N-M woe, reflectively, 36, 72 and 144. Of course, if 144 is an ui^ierbound to 
die possible reserve prices, so is 1,000. But, inc^pendent of other considerations, 
30 seUer and buyer may have a valid incentive in ensuring that J^^* Af is small. In 
particular, the trustee of a blind-negotiation (whether of this or another type with 
lower-and upp»4x>unds) may actually require paymrat for his services according 
to the monetary value of the transacticm. Now this value may become clear whra 

-22- 



W097/Z4833 PCT/US97/00286 

a deal oours, but, because Of the very nature Of a bUnd negot^ 
revealed otherwise. It is thus desirable that the trustee be paid as a percentage of 
N or N-M, whether ornot a deal occurs. It is thus in the interest of seller and 
buyer that //and M be small. 

5 FilThaPf^"f Security 

The above-described system has been described in the context of a single 
given btind negotiation. It should be realized, however, that an enemy may also 
consider attacks that occur outside a single negotiation, possibly setting up a new 
blind negotiation in order to discover something about an old one. It is thus 

10 recommended, in this and odier bfind negotiation systems as weU, that each 

portion of a negotiation cannot be used in any other negotiation. Thus, if each 
individual negotiation is secure, all possible negotiations taken together will be 
secure as weU. For instance, it is quite beneficial that the additional information 
be used so that it fiiUy specifies the negotiation in question, and, if something 

15 wrong Tsppem. in such spedfication, then proper security measures can be taken. 
For example, it is desirable that messages exchanged within a blind 
negotiation be ci««w«Ke<f. For instance, the seller first signs the value she sends 
to the trustee, and then encrypts this signed message with the trustee's key (and 
not the other way around - though stiU in the scope of the invention). This way, 

20 after the trustee decrypts, he can check that the cleartext message came from the 
seller (and it is to her - and to the buyer - that he will send his announcement of 
the outcome of the negotiation, prrferably encrypted with her key). This is a 
practical way to customiaK messages; Uiat is, to tie messages to their senders so 
tiat, in particular, no one else can take tfje same message and (possibly without 

25 understanding it) send it as his. 

The value of customization can be seen by analyzing what may hq>pen if it 
is not used. For instance Ognoring additional information and most oUwr details), 
assume tfuit a seller S gives her list L to tiie trustee after encrypting it with flie 
trustee's key, and tiien signing the so obtained ciphertexL Tlial is, assume that 

30 she sends y = 5/G5(E,|LJ), her own signature of the piece of data* = £,^). 

Assume now that a maUdous buyer B has blindly negotiated with S, and tiiat the 
result announced by the trustee was tiiat no deal was possible. Then, B should 
learn no more tiian the fi«:t that the seller's reserve price was bigger tfian his own 



-23- 



one. However, by means of some "outside attacks" he can exactly reconstruct the 
sdler's reserve price as follows. 

When S sends y to the trustee, B makes a copy of it (without preventing it 
from reaching the trustee, and without understanding what he is copying). Hien, 
S he strips out S*s signature (thus obtaining an unsigned string jc - Ej(L) which he 
cannot understand) and substitutes it with the signature of an accomplice of his, C, 
thus obtaining die string y ' = SIGc(Ej(L)). Then, he pretends that he is blindly 
n^otiatii^ with C several times. Each time he uses die same and has C send 
the trustee the string y\ As for his own messages, the first time h& pretends ttat 

10 his res^ve price is M (thus he s»ds the trustee a properly signed and mcrypted 
H{Zj)); the second time he pretends that his reserve price hM + I (thus he sends 
the tnistee H(Z2)\ and so on, until, the kOi time, the trustee reports that there is a 
deal. Thus, B leams that the seller's resave price was M k. 

Notice that each time the trustee notifies B and his accomplice C of the 

IS outcome of the negotiation, since, without a proper customization of the messages, 
he believes that B and C are the parties of these negotiations. (Of course, even if 
the Ath time, the commodity is declared as been sdd by C to B, C will ignore 
such sale. Indeed, C does not own the commodity at hand.) In the mean time, 
poor S is not even aware that this is going on. 

20 Customizing messages neutralizes this attack. For instance, assume that 

even a mild form of customization is used, where the sella sends the trustee y ^ 
S1Gs(Ej{LM)), wh^ the additional information AI qiecifies tiiat the sdler is S, 
tiie buyer B, and the trustee T. Then, copying y, stripping S*s signature, and 
substituting it with that of accomplice C, and having C send T the string 

25 SIGc(Ejj(L,AI) does not help much. In fact, after verifying the signature of C and 
nmoving his own csicryption layer, the trustee will realize that the additional 
mformation idmtifies S to be die seller and not C. Thus he can take proper 
measures; for instance, stop the negotiation and alert S of what is going on. 

Notice that if S adopts ttie above customization and tiie encryption system 

30 is properly designed, it would be essentially impcKSsible for B to talre tiie data ^ 

ErO^M) and somdiow transform it into anodiar inece of data x - Ej(L^f) 
tiiat happens to be the encryption, witii the trustee's key, of die same list L plus 
additional information Af indicating that C, rather than S, is the seller. Similar 



-24- 



wo 97/24833 PCr/US»7/00286 

difficuWes would be cnanmteied by the above 

different; for instance, if the sender communicates her list to the trustee by 
sending E,(SIG^M), or SlG,l(Er(SIG^(LM)))- 

A malicious buyer may steal, however, use the same customized message 

5 M, (whether M, = Er(LM). ot E^IGsfLM)), or SIG^Ey(SlG^(LMm. or anodier 
value), and mount the above attack by keeping on sending to the trustee as if 
coming from the seUer, each time pretending that there is a blind negotiation going 
on. At each such negotiation, he sends a diffKcnt buyer's value, and possibly 
tries to prevent that the trustee's announcement reach the genuine seller, so as to 

10 keep ho- in the dark about the attack. 

These types of attadc: can be prevented by insoting in the additional 
information some time information. For instance, the sdler may qiedfy what is 
die current date and time, in her communication to the trustee. If the trustee when 
receiving the information notices that the time is suffidently old may take some 

15 proper actions excluding, possibly, stop the negotiation and alerting its parties that 
something is wrong). 

A resourceful malidous buyer, however, may do the foUowing. When the 
seller in a negotiation with him sends the trustee a customized message M, (e.g., 
M, = SIGs(Ej(SIGs(LM))}) that indicates who are sdler and buyer as well as what 

20 is the time of the transmission, he may copy Af„ and then send it to many 

different trustees: Tj, T^. etc. He then behaves as if Trustee T, is the single trustee 
of ablind negotiation between Seller S and the buyer B, and his price is i. Thus 
the first trustees witt inform him that no deal is possible, but if i = SRP, then 
trustee T, wiU inform him that a deal exists. At the same time the buyer may try 

25 to prevent that these announcement reach S. But even if this does not succeed, he 
will end up with a legitimate purchase at price / = SRP, and thus at the minimum 
posable price at which dw sdlw was ready to sell. 

This attack may be prevented if the additional infinrmation AI spaAGea v*o 
the trustee of the current blind negotiation is, and thus only his announcement wiU 

30 be regarded as binding, and other trustees receiving a message of a blind 

negotiation that does not concern them should take proper actions in response. 
Anodm' way to prevent this attack and other possible attacks consists in adding 
one or more rounds of communication Cm feet, though the fiswer these rounds are 



-25- 



wo 97/24833 



FCT/US97/00286 



the more convenimt the system is, more intefactive systems are within the scope 
of the invetitim). Sudi additional nnmds may in particular be used by having the 
trustee send a randomly sdected value so that only responses psopeAy including 
such values are considered Intimate. Hiis makes it even harder to use porticms 
5 of a blind negotiaticm into anmher blind negotiation* 
Blind Negotiations with Invisible Trustees 

A blind negotiation system can be in^emented with trustees that are 
invisible. This means that an honest sdler and buyer can exchange messages so 
that (for example, and without limitation) the buy^ learns whether a deal is 

10 possible (e.gM whether SRP ^ BRP) wittout leamii^ the sell^^s reserve price, 
and flien proves to tiie sdler wheth^ a iteal is possible (and at what price). 
Howevtf , if the buy» refuses to "share* with the seller what he has learned, then 
the sdler can go to a trustee, which up to now has been in the background, and 
have the trustee take action to prove to her the result of the blind negotiation 

IS (and/or any other jMroper action). 

Thus, in such a blind n^otiation system seller and buyer occhange a first 
set of messages in an attempt to complete thdr tiansacticm, and, if the transaction 
, is not completed, a trustee intervenes so as to complete it. 

By way of background, cryptographic protocols have bem described in the 

20 literature tiiat enable two mutually suspidous play^, Alice and Bob, the first 
having a seoret ii^t a and the second a secret input b, to evaluate a given 
function / on their secret inputs so as to compute the value/ (a. b) without 
divulging more infcmnation about a and than is already implicit in the value/ fis, 
b) itself. A variant of such a m^hod due to Yao was discussed in the ps^ of 

25 (Soldrdch, Micali, and Wigderson. A particular simple cases arises the 
function/is the AND function, Alice has a secret bit a. Bob has a secret bit b, 
and the two parties want to compute the AND of a and b, i.e., aAb^ without 
disclosing their bits more than aAb already (foes. Recall that aAb^ 1 if and 
only if botii bits are 1. Hius, if the secret bit of one party is 1 , thm, after 

30 learning die value a /I timt party will inunediately also learn tiie otiier party's 
bit; initeed, that will coincide with a A b. For the AND function, tiimfore, 
computing it on secret inputs witiiout revealing more about tfiese inputs than 
already implicit in tiie result means to meet the following two conditions: 



-26- 



wo 97/24833 PCTAJS97/00286 

1. (Bob's privacy:) If Alice has 0 as her secfrt bit, then, after learning 
. that a /I ^ = 0, she shouW not team whether Bob's bit is 1 or 0. 

Symm^cally, 

2. (Alice's pnvacy:) If Bob has 0 as her secret bit, then, after teaming 
5 that fl/1/> = 0, he should not team whether Alice's bit is lor 0. 

In the above Yao method, one of the parties (e.g., without limitation Bob) 
funiishes the other party (e.g., without Umitation AHce) with various encrypted 
data having a spedal structure, in particular, with two dphertexts (relative to the 
output btt): EO and El. Ciphertext EO (encayptiAg a secret value W) is openly 
10 bbeted 0 and Cipertext El (encrypting a different secret value VI) is openly 
Ubeledi. 

Having prepared both ciphertexts. Bob knows their decryptions W and VI. 
but Alice does not, she only knows EO and El. If a - 0, then the special 
structure of the data given from Bob to ABce guarantees that Alice will be abte to 
15 retrieve VO, (but not Vi); dse, if « /\ 6 = 1. Alice will be abte to retiteve W (but 
notVO). Sincethelabeisof these ciphertexts are known, Alice can tfius determine 

whether a Ab = Oot a Ab 1. 

After learning one of the two secrets rdative to the output bit, and thus the 
value of the bit aAb, Alice can tdl Bob what the output bit was. If Bob does not 
20 trusther, she can prove to him what the result of a >t i> is by rdeasing die secret 

she actually teamed (i.e., either VO or VI). 

Besides enabling flie compulation of aAb, the method also guarantees 
Bdb's and Alice's privacy conditions. Note, however, tiiat Alice, after teaming 
the actual vahie of a /\ can deprive Bob of this information by simply telling 
25 him nothing, not die result not any piooftiiattfiis is indeed tiw AND of 
their secret input bits. It is thus a goal to rectify this weakness as weU as derive 
from any such special computation of tiie AND function a new blind-negotiation 
system, one that works witii invisible trustees. 
^ New mM 

30 In particular, assume that A/ and JV are, respectively, lower-and upper- 

bounds to the reserve prices of a given commodity, and that Alice is the seUer and 
Bob ttw buyer. Then . for each possibte price i between M and iV. let die bit a, be 



-27- 



W097/24g33 



PCTAJS97/00286 



1 if SRP > i\ and 0 Otherwise; similaiiy^ 1^ the bit be / if i < HRP, and 0 
otherwise. 

Since SRP is Alice's secret and BRP Bob's secret, each is a secret bit of 
Alice, and each bf a secret bit of Bob. Notice that price i is zcceptable to both 

5 Alice and Bob if and only if a, /\ = 7. Thus a deal between Alice and Bob is 
possible (i.e., SRP < BRP) if and only if th^ exist a value / such that A — 
L If this is the case, the actual trade price maybe diosen in various ways, for 
instance, as the average of / and h, where / is the lowest vali^ of / such that Of A 
bi s= and A is the highest value of i such that a^Ahi^ L 

10 Thus, Alice and Bob can conduct a blind negotiation by simply computing, 

for aU r between MwAN^OiAbi^ by means of a speoal AND method such as 
above. (Since we are using such a special AND computation for each value of I 
b^ween M and N, we may use the to identify the quantities EO, £1, VO and 
VI relative to the M computation of the spedal AND, that is, EOi, Elj, V&. and 

15 VI..) 

If no deal is possible, then the result will be /\ - 0 for all /. In this 
case, Alice cannot learn BRP beycmd the fact that it must be lower than her own 
SRP. Indeed, for each / < SRP, - 0 and thus a^Abi- 0, but, because the 
special AND computation does not release any other knowledge, she will never 

20 learn whether i or 0 for any i < SRP; thus, she cannot learn which tiie 
value of BRP may be beyond knowing that it is less than her own SRP. 

If a deal is posable, then A A| = i for some i. In this case, the actual 
trade jHioe can be computed - for instance, by computing / and A and setting the 
trade price to be (7 + h)/2}^ 

25 Of course, like in all blind n^otiations explained so far, Alice and Bob 

preferably make use of digital signatures during tiie process of evaluating each 
AND in the spedal way, so, that each can prove who said what to whom when, 



Note that also this method allows to avoid certain prices if so wanted. 
E.g., Bob may choose b^ = 1 and b^^s = but chose b^^^ = 0- Again, as in one 
30 of our prior blind n^otiations, this behavior of Bob may be permitted, and 

interpreted as his wish not to trade at jnice 1 + 3, no mattor what his reasons may 
be. Altemativdy, as indicated above, it may be agreed that setting ft^ = / and 
bj^s - J is tantamount to setting bj = 1 for all j betweoi i and i + 5, independent 
of the actual value of bj actually entered by Bob in a special gate. 



-28- 



W097/Z4833 



PCT/US97W0286 



and relative to which negotiatioii. Indeed, Uiey may preferably sign an initial 
agreement, preferably qiedfying proper additional data for the special AND 
computation relative to each price /. In particular, the additional data for the ith 
speoal AND may include the dphertext £0, and El, (which respectively encrypt 

5 the secret values VO, and Vij, which arc not part of such additional data). Thus, 
the release of VO, or VI, relative to the AND conqmtation of price i. does not just 
prove to Alice or Bob whether ; is a mutually agreeable price, but, togetho^ vnOi 
other signatures already exchanged, can be part of a provably signed contract of 
trade between the two parties. 

10 We should now point out that it is (for instance) Alice who finds out the 

values a,Ab, first, and she may or may not reveal or prove what these values arc 
to Bob. This is imteed a feature of the above mentioned special AND 
computation. In our context, ttiis may result in Atice withholding from Bob the 

result of the neg<^]ation. 
15 To avoid this, the following additional modifications are proposed. First, 

for each special AND computation, rather than having the encryption of VO 
(denoted by EO) be openly labded with 0 and the encryption of Yl (denoted by 
El) be openly labeled with /. the labels of EO and E/ may be encrypted, 
preferably with a key of a trustee. For instance, Bob (who prepares these two 

20 labeled dphertexts) may labd£0 with £^o; and £i with JSWi; (where Wis an 
encryption scheme of which a trusted party, has the decryption key), and make 
sure that these two dperlext-labd pairs are presented in random order. For 
instance, he may provide Alice widi the labd-ciphertext pairs (Ei(l), El) and 
(Bj(0), EO). CThc encryptions of the labds 0 and 7 are preferably pwibabaistic. 

25 Forinslancc,£,/0> may be the encryption, with a trustee's key, of a random even 

number, and Ej(l) the encryption (with a trustee's key) or a random odd 
number.") 

This way, after Alice computes die decryption of EX) (i.e., <k the 
decryption of El , VI), she does not understand whether the result signifies a 



30 " Of course, one may use the same ractyption scheme to encrypt 0 and i, or 

different scheme, such a scheme can be pubUc key, or private key, in which case 
the ordinary encryption/decryption key can be known to both Bob and the trusted 
party. 

-29- 



wo 97/24833 



FCT/US97/00286 



Oora/. (In fact, she can see that £0 is labeled with 
with Ej^j, but she does not know vAdch of and JS^ is an encryption of 0 and 
which is an encryptkm of 1.) She thus gives VO (lespectively VI) to Bob, and Bob 
proves to her whedier obtaining this decryption means that the AND computation 
5 r^ulted in a £)or a i by decrypting Ej{0) orE^l) (or both), that is, Bob may 
give Alice the very even number used in graerating EjO (0) and/or the very odd 
number used in graerating ErI (0). 

So far, this additional stq> does not appear to have accomplished mudi. 
Indeed, if before it was Alice who OMild withhold fmm Bob the result of thdr 

10 blind negotiation, it now appears diat it is Bob who could withhold Uie result from 
Alice. Indeed, Bob may refuse to provide AUoewitti the decryption of 
f^rri;* However, Alice may go to the trusted party (prefmbly with data signed by 
Bob and data signed by herself, so as to prove that this is part of a blind 
n^otiation). The trusted party will then provide h^ with the decrypticm of the 

15 desired E/O) or Et(1) value. 

Thus, the trustee is not needed and is totally in the background if Bob and 
Alice are honest (because Bob can decrypt himsdf what he had previously himself 
encrypted with the trustee's tey). However, if this is not the case (like discussed 
above), the trwttee may intervene to compete the negotiation by decrypting what 

20 is necessary for compl^g the transaction. 

It is actually preferable that if Alice asks the trustee to decrypt (fm 
example) an "output dphertext label" Ej(0) aft^ presenting signed data that 
include her agnature of VO, that is, her signature of the learned decryption of EO, 
the dphertext labded E(0). This reassures the trustee that indeed the negotiation 

25 pnqieriy started and that Alice is entitled to learning what the learned VO means. 
In informing or proving to Alice that Et(0) actually means 0, it is also pref^^le 
that the trustee also informs of the result of negotiation; preferably by 
providing him widi at least Alice's signature of VO. This way Bob has a proof of 
what the output of the correspcmding AND gate was. Thus, if the trustee provides 

30 Alice with such a proof (or result) it also provides Bob with a correqxmding proof 
(or result). 

This "joint*notification" is important because othmrise Alice could 
withhold the result of the n^otiation (or its proof) from Bob as follows. She 



wo 97/24833 PCT/US97/00286 

paiticqntes to the negotiation hooesfly until she computes the decryption of the 
ootput-dphcrtextof each special AND gate O c, either VD, or Vi„ for each gate 
i). Then, Ae does not tdl these teanied decryptions to Bob, so as to leain what 
they mean and inform Bob of the same. Rather, she bypasses Bob altogether, 

5 goes to the trustee, and has it tdl her whether the lab«^ of the output-cq)hertexts 
mean. Tliis way, she learns the result of the negotiation, while keeping Bob in the 
dark. However, if the trustee also informs Bob whenever it informs Alice, then 
both Aiice and Bob wiU learn the result Moreover, if the trustee gives Alice the 
decryption of each label (e.g., the even number whose encryption was the given 

10 Er(0), or die odd number whose encryption equaled E,(l)), and gives Bob the 
particular decryption learned by AUce signed by her, tiien not only will botii 
parties learn tiie rcsutt of tiieir negotiation, but tt>ey wUl botii have a proof of what 
tiieir results are. 

Preferably, tfic labels Oand i arc not encrypted in a key known to just one 
15 trustee, but with a key tiat is split among a phiraUty of trustees (e.g., like in flie 

systems suggested by Micali), so tiat tiie cooperation of sufRdentty many of tiwm 
is required for each or value 10 be decrypted. This way, one or 
suffidentiy few trustees may not conspire wiUi (e.g.) Alice in order to let just her 
know die result of the negotiation. The idea of replacing a single trustee witii a 

20 multipUdty of trustees possibly holding shares of a given secret key, also applies 
to odier blind n^otiation systems of tiiis invration. 

It is preferable fliat Seller and Buyer exchange messages by means of a 
mcttiod that gives certified return receipts. For instance, when Alice gives tfie 
learned VO secret of a given AND gate, it is recommended tiiat she sends such a 

25 VO to Bob by means of a certified maU return receq)tmctiK)d tiat enables her to 
prove tiat indeed tiat particular value VD was sent to Bob. Electronic, secure and 
practical such mettiods arc presented in a copending patent application. 

Actually, die use of return-receipt exchanges between Seller and Verifier 
also enables one to dismiss invisible trustees in flie blind-negotiation systems. Fbr 

30 instance, if in tfie above system wiUj a proper initial agreement Alice leams a 

value V, relative to die iUi AND computation of a price (i.c., V, equals eitiier W, 
or Vi^, and sends U to Bob by a certified retum-recdpt mediod (which preferably 
shows what tiie sent value actually was), if Bob does not re^Kind witii a proof of 



-31- 



W0 97/Z48S3 



PCT/US97/00286 



the result of the oomputatioA, she has enough informatim to lecdve justice in 
some fonii of oourL Such courts^ however, could be interpreted as invisible 
trustees too, thou^ not even thdr keys have been used in the n^otiation. 
Mnlf fng PW ^'^"^^^m Tmiww'wt 
S In practice, a single-trustee bliiKl negotiation system may be quite attractive 

(given that the trustee does not learn the reserve prices anyway). However, one 
may still fear that the trustee is not trustworthy. For instance, though a blind 
negotiation indicates that a (teal is possible, the trustee may announce that it is not 
possible and let the buy^ know the items i^ipearii^ in the sdler's list. (Note ftat 

10 these items will reveal the sdler's reserve price if the buya knows 

Thus, although the seller may not mind if the buyer learns her reserve 
price when a deal occurs, the trustee might enable the buyer to learn the SRP 
when there is no deal at all. 

Some of this cheating may be prevented or dissuaded as follows. Whm die 

IS trustee declares that there is no deal, rather than just saying so, he also signs an 
encryption of the information he receives from the sdler and the buyer. This 
signed encryption of the seller's list and the buyer's value may consist of the very 
encryptions that seller and buyer gave the trustee in their resqpective stq>s. Indeed, 
in order to give the trustee her list in a private way, the seller preferably oicrypts 

20 it with the trustee's key. Similarly the trustee might enable the buyer to learn the 
SRP when there is no deal at all. 

Similarly, the buyer prefoably sends the trustee his own value after 
encrypting it with a trustee's k^. Moreover, each of the seller and buyer signs 
his own data (preferably togetfa^ with additional data) prior to encrypting it with 

25 the trustee's key. Thus the trustee may release these two encrypted agnatures 
when saying that no deal is possible, prrferably signing the whole thing himsdf 
also. 

Hie reason for announcing such signed mcrypUon whm the deal is not 
possible is to enable either the sdler or the buyer to request that the blind 
30 negotiaticmbemade *'traiiq)arent." In this case, the trustee must remove his own 
encryption layer, thus revealing in an authenticated way the seller's list and the 
buyer's value. 

-32- 



wo 97/24833 FCTrtJS97«(n86 

If, afto decrypting the sdler's list and the buyer's value, U 
indeed there was no deal possible (because the buy»'s value does not appear in 
the seller's list), then proper measures can be taken. For instance, assume that the 
negotiated commodity is yet unsold and that it is the buyer who called for the 

5 blind negotiation to become transparent. Then, after learning the values SRP and 
BRP, and realizing the SRP > BRP, the buyer may be forced to purchase the 
commodity at price SRP (or or SRP + iV/2, or 5JeP + a given amount - either 
fixed or dependent on JV, M etc. -) or at any other price deemed proper. 

Hius, the seller may nm mind that her SRP value was made known because 

10 she wiU be able to seU at that price or better. (Alternatively, the buyer may be 
properly fined - c.g., by a fixed amount, or as a percentage of SRP, N, etc. - 
e.g., by a fixed amount, or as a percentage of SRP, N, etc. - without forcang a 

sale of die commodity.) 

Assume now diat, afto die blind n^odation was made transparent at the 

15 buyer's request, it appears that indeed no deal was possible, and that the selte has 
already sold her commodity to someone else. Then, other proper measures may 
be taken. For instance, the buyer may be obliged to pay the amount of SRP to Ae 
seller without receiving the commodity in exchange, or he may be fined according 
to a proper formula, etc. (AltemaUvely, it may be agreed that after the result of a 

20 blind negotiation is negative - i.e. , the outcome is "no deal"- one has only a 
prescribed window of time to request to make it tranqwrent, and that the seller 
should not sdl the commodity during diat time.) 

Assume now diat, after the negotiation has been made transparmt, it 
appears d»at the trustee announced ti»e wrong result Then, other proper measures 

25 can be taken. For instance, not only the trustee can be made finandaUy 

responsible for paying what it is deemed proper, but he can be also criminaUy 
prosecuted. Thus, the possibility of having the blind negotiation transpanait wiU 
add a great incentive for the trustee to remain honest. 

Of course, a trustee who has Ued within a blind negotiation may not wish 

30 to decrypt at all. Thus, measures should be taken tfiat dissuade him from taking 
titis course of action. Alternatively, it may be required that the trustee's key may 
be shared among many otiier trustees (e.g., by one of die mediods of Micali) so 



-33- 



wo 97/24833 



PCTAJS97/00286 



that if the trustee refuse to decrypt, the otha trustees may intervoie and remove 

his enoyption hya anyone. 

Forcing Good Faith in Blind NegotiatiiHis 

It is desired to msure that the participants of a blind n^otiation act in good 
S faith. By this we mean that, no matter what the res^e price of ones participant, 
there is at least one choice of reserve value for the other participants so that the 
deal is possible. 

For instance, we want to disallow that a malicious buyer may waste the 
seller's time and resources by negotiating (witfunit being detected) in a way that 

10 guarantees that no deal can be readied. For instance, such a buy» may give the 
trustee a random number R or H(R) as the buyer's value (ratha than the image, 
undet function H, of one of the first N-Af /-inv^ses of Zq)* Herefore, with 
overwhelming probability, this numb^ will not appear in the seller's list. 
Accordingly, the trustee will report that no deal is possible. 

15 Engaging in such negotiations with the seller, the buyer may, at least 

temporarily, prevent that the sdler negotiates profitably with othars, and in 
gen^ damage her. Sudi behavior should thus be made impossible, or easily 
detected. 

Of course, the seller may set i — il/ in a blind negotiation (i.e., have her 
20 SRP to be the minimum possible value). If in these conditions the outcome of the 
blind negotiation still is that no deal is possible, then clearly the buyer or the 
trustee are cheating. Thus, zppmpsmte measures can be taken if the sell^ detects 
and proves that this is the case. (Some of these measured are discussed in the 
previous section. For instance, the buyer may be obliged to buy at maximum 
25 price, or, if he can prove that his value was properly set, the trustee may be fined 
or prosecuted.) 

However, choosing a minimum SRP may be a too exprasive way for the 
seller to check that the buyer is negotiating in good faith. Indeed, if the buyer 
happens to act in good faith, the seller will essentially "give away** her 
30 commodity. Therefore, better strategies to ensure good faith particqiation in a 
blind n^otiation should be sought One of them is desoibed below. Of course, 
after presenting one such strata, many otters can be easily devised. 



-34- 



wo 97/24833 



PCT/US97/(»286 



In her. stq), the sdler gives the trustee, together with her usual Ust 
consisting of N-M items (i of which consist of H evaluated at the first /-inverses 
of Zj, and N - A# - i of which consist of different values) gives an additional check 
Ust. The latter consists of another N - M items, preferably in landom order. 
5 fl{Z,+i), • • • . ^(^m) - ^ evaluated at the remaining N-M- if-invases - 
and H(Vm«^+,), ... H(V^) - i.e., H evaluated at i values, preferably different 
both among themselves and ftom the first /-invCTses of 2^ as wdl as from all othw 
V values. 

Notice tfiat ti»e trustee, though recdving the sdler's Ust and check list, still 
10 does not understand what the value of i may be. Indeed, if H is good, any item in 
each list may zppeax as a random numbw to him. Notice too, howevCT, that die 
buyer's value H(Z^ should, if the buyer is honest, appear in one of the two Usts. 
Thus, if this is not the case, the trustee may announce so, preferably in a signed 
manner. At this point steps can be taken to dedde who is right and proper 
IS measure can be ddapxed. 

The trustee, rather than just announdng that the buyer's value does not 
appear in either the primary list nor the check list of the seller, may actually 
release both the seUer's Usts and the buyer's value, and since these have been 
signed by their owners, he wiU release these signatures too. Thus one can verify 
20 in authenticated manner what are the items in the seUer's Ust, the items in the 
seUer's check Ust, and the buyer's value. If she is right, the seUer may further 
reveal every value Z„ and every value V*, so that one can verify that her Usts were 
both wdl constructed (by checking where H(Zt) and H(V^ appear), and become 
convinced that the buyer participated to the bind negotiation in bad laidi. Attiiis 
25 point, though the seUer's reserve price may be compromised, proper measures can 
be adopted, sudi as those discussed in die [nevious section. For instance, die 
commodity may be assigned to the buyer at die maximum possible price, or at 
price I plus a suitable additional amount. 
Blind N^otiations with DupUcate Trustees 
30 As we have seen, bUnd n^otiaticms with a single trustee who does not 

learn the SRP nor the BRP are most convenient. However, if the trustee is not 
trustworthy after all, he may declare that no deal is possible (whUe instead i < j) 
and give, for instance, tije buyer tiie seUa's information C» e., her Ust). 

-35- 



wo 97/24893 



PCT/US97/002W 



This event should be rath^ ini|m>bable if the trustee is pippoly chosra. In 
any case, the possibility of making negotiations transpairat may be quite effective 
in d^erring even this small chance. 

Then is, however, anoth^ way to prevent this cheating: 
dupliaue trustees. That is, we envisage runnii\g die above single-tnistee system 
with two or more trustees, treating each trustee essentially as if he were the only 
one. Thus, while in a genraal bUnd-negotiaiion systrai with multiple trustees, the 
trustees may engage in non-trivial message exchanges and computations, these 
duplicate trustees do not Indeed, to make life for sellers and buyers easier, 
duplicate trustees may use the same encrypticm/decryption keys, and sellers and 
buyers may use these common trustee-keys when talking privately to the duplicate 
trustee(s). This way each message needs to be encrypted only once (with the 
common key of tiie duplicate trustees) raAea* than many times (with the key of 
each of the duplicate trustees). If they wish to use different encryptions with each 
of the different duplicate trustees, howew, a proper mcryptt<m scheme should be 
used.*^ 

The main advantage of having, two or mcne di^licate trustees is the 
following: if a deal is possible, then every honest trustee will say so and 
pidfecably prove that this is so, thus enabling the deal to go through at the right 
price. Therefore, for a deal to be lll^timately declared impossible when it is 
indeed possible, AIX duplicate trustees must be dishonest. And ttie possibility of 
this event is evra more remote. 
Bliad-N^otiaticMi Sj^stems with Secure Hardware 

In a single-trustee blind negotiation-system, the problem still exists that the trustee, 
when the deal really is impossible, may give to one participant information rdative 
to the otfier participant. For instance, he may give the buyer the seller's list(s). 
Of course, the trustee does not understand the SRP ficom this information, but the 
buyer will. This problem does not go away with duplicate trustees. Indeed, the 



Indeed, some oicrypticm algorithms (like RSA with small exponents) may 
be secure if each message is encrypted only with one key. However, if the 
same message is encrypted with a &rst key, a second k^, a third key and 
so on, then an memy who gets hold of these ciphertexts can easily retrieve 
the message. 

. -36- 



wo 97/24833 



PCT/US97/00286 



othtf diqdicaie tiustees may just o(mfirm thatt no 
aware that <me trustee is tqiping off die buyer. 

One effective avenue to take caie of this problem and others as well is 
having a trustee consist of or indiKie a secure device, for ooncreleness purposes 
S only but without loss of goierality, a secure chip; that is, a chip a portion of 

which canncH be read or tampered widi from the outside. For instance, because 
trying to tamper witti the chip or trying to read part of its protected areas causes 
all information in the chip to be destroyed. 

One advantage of using secure hardware this way is that once such a chip 
10 has beoi pnq)^ly manufiactured, its inputH>utput behavior cannot be changed. 
Thus, there is no way to "corrupt" such a trustee an convince him to behave 
didionestly. 

For instance, the secure chip may be manu&ctured to correctly perform the 
following opoaticms. The secure dtap recdves an input / from tfie sdler and an 

15 iiqyut j from the buyo* (preferably with proper additional infonnatim, and having 
each party properly sign his data and encrypt it with a tey known to the chip). 
Tlie chip then verifies the additional information and compares the values i and j. 
If the information looks fine and / > y , then the chip produces an output indicating 
that no deal is possible. Else, the chip outputs g(ij)t where ^ is a functicm 

20 chosen to establish the actual trade price. 

In either case, the chip preferably digitally signs its output tog^er with 
proper additional information. (Again, other features of the above blind negotiation 
systons can be incorporated here * such as, initial agremirat, message 
customization, time stamfnng, or having the chip give sell» or buyer a random 

25 number and demanding that that number be part of future messages in the 
n^otiatim.) 

Ihmdom Checkin g for Proper Special Structures 

As we have menticmed, in the method for computing the AND function so 
as to satisfy Bob*s and Alice's privacy oomlitions, one of the parties (e.g., Bob) 
30 sends Alice various encrypted data having a sptcizi structure. If this special 

stnu^ture is differwit from what it should be, tiien, ratiier flum computing a /I b, 
one may compute a dififoent function (with a one*bit ou^ut), or always discover 
the other party's secret bit. 



•^37- 



wo 97/24833 



PCT/US97/00286 



In the ccmtext of tlw above blind oegotiatim, it would be in Bob's int^^ 
to diange the special stnictuie so that the function /ra, b) = a would be computed 
instead. This way, in a blind negotiation, Bob would never offer more than 
Alice's SRP, though he would not know the value of SRP before hand. 

5 It is thus important that the parties are omvinced that each piece of 

enoypted data possesses the right specM structure that makes it a special AND. 
In the mentioned papa of Goldreich, MicaU, and Wigderscm, it is suggested that 
(as part of the meduxO Bob proves to Alice that the provided oyptogcaphic data 
possesses tiie desired apedal structure by means of a zero-knowledge proof. We 

10 note, however, that other wdl-known simple methods can be used within our 
application. 

For instance, assume thatN-M»A:is the number of possible prices for 
the negotiated commodity. Then, Bob may present Alice widi 2k (rather than k) 
pieces of encrypted data, claiming that all of than possess the spedal structure for 
15 implementing an AND with our privacy omstraints. Alice may then choose k of 
them, and ask Bob to dec^t them, so that she can see that they possess the right 
stzucbue. If this chedc is passed, then the remaining k pieces of en<^ted arc 
believed to imptonent correctly our AND, and th^ are used as in the above blind 
n^Otiation system. 

20 Hiis way. Bob may dieat with prbbalnlity at most one half. Indeed, even 

if he inserts a angle inoonect piece of enciypted data, with probability 1/2 Alice 
will dioose it among die k pece die asks Bob to dec^t. Further, the probability 
may be decreased (to 1/3, 1/4, etc.) by having Bob present AUce more "trial" 
pieces of enciypted data (e.g., 3k, 4fc, etc.), and then have Alice choose all of 

25 them excq>t k for decryption. Altemativdy, vat to increase die amount erf 

computation and transmission too much, we may continue to use a small amount 
of pieces of encrypted data (e.g., 2k), but make it counterproductive for Bob to 
cheat. For instance, relying on a propo- initial agreement, it can be arranged tiut, 
if Bob is caught cheating or refuses to decrypt the "trial" pieces of enciypted data 

30 chosen by Alice, dien is obliged to buy Uie gjvoi commodity at jmce 4N, or is 
fined for an amount 4N. Thereficwc, by cheating he expects to lose money. 
Indeed, if he cheats, he has probability ^ 1/2 of gaining somethuig (e.g., 
discovering Alice's SRP, or buying at a price that is guaranteed to be equal to 



-38- 



wo 97/24833 



PCTAJS97/MI286 



SRP) whose worth is at most $N, but also has protiabiUty 1/2 of loosing $4N. (Of 
coune, the probability of 1/2 of bdng caught in the amount 4N penalty are purely 
exemplary in that other values oould be chosen in their place). 
GENERAL PWVATE-FtJNCTION EVALUATIONS WITH INVISIBLE TRUSTEES 

5 It should also be noted that, as we have already mentioned, the above AND 

method gaieralizes so as to enable Alice and Bob to compute any function /Ca,^; 
of two secret inputs a and i» so as to satisfy both Alice's and Bob's privacy 
cimstraints. Again, this more general m^od involves Bob sending Alice 
encrypted data with a special structure, and having every posable ou^ut-bit 

10 variableawre^KMidtotwoencryptions, EO and El, one labeled 0 and the other 1. 
The actual value of a given output4>it variable (in a given execution of a special 
dreuitry for » is 0 if /Uice computes the decryption of the corresponding EO 
value, and 1 if she computes the decryption of the corresponding El value. 

Again, thodbre, one of the parties may withhold from the other the result 

15 of a given privatexonqmtatimi off. However, we cam again ^ly the same 

system developed above. Tliat is, rather than openly labding EO wifli 0 and El 
with 1, we can label EO with E,(0) and El with E,(l), where B^x) is an 
encryption function for which an invisible trustee has the decryption key. The 
trustee, the first party and the second party act therefore, very much like in the 

20 case of the AND function, so as to yidd a mediod where two parties A and B, 
each possessing a secret input, respectivdy, a and b, can, with the help of an 
invisible trustee and without revealing these inputs, privately evaluate any given 
function/on thdr inputs so that, if one party learns y ^f(a,b), then so does the 
other. Again, by invisible trustee we mean the following: if both parties are 

25 honest,bothwillleaniwithoutinvolvingthetnislecatall, but if one of the parties 

dishonestiy tries to keep for him/hersdf the learned value y, then the trustee 
intervenes so as to ensure that botfi learn y (but not the other's secret input, unless 
that is implicit in y). 

While this invisible-trustee method for privately evaluating a two-input 
30 function /is useful in general, it is particularly useful in blind negotiations. 

Indeed, M&ot may be a seller and BcA a buyo", a may be the SRP and b the BRP, 
and with a proper initial agreement and use of digital signatiires, they may 
profitably achieve a blind negotiation with an invisible trustee by privately 



-39- 



wo 97/24833 



PCTAJS97/00286 



evaluating the following (comparison) function f:f(a,b) = J if a ^ b, and 0 
othowise. 

Again, they may use the decryption-p^ty method for •checking" that the 
qpecial structures involved are present in the pieces of encrypted data used* 

It is now possible to summarize the important advantage of the disclosed 
blind negotiations systems and methods. 



-40- 



W097/24833 PCT/Ua>7/Wtt86 

IN THE CLAIMS 

What is claimed is: 

1. An dectrooicim)cess exerted by a first party 
assistance f«)m at least a pluraHty of trustees, wheidn the fim 
reservation price (SRP) and the second party has a buying leseivation pr^ 
and the parties are commitled to a transaction if a ptedeterrained relationship 
between Ae reservation prices is established, but not otherwise, comprising the 

steps of: 

initiating the electronic process by having the first and second parties 
compute data strings encoding th«r respective reservation prices, wherein at least 
one of said parties uses an electronic device for such computation; 

having each of the first and second parties transmit to the trustees the data 
strings that encode their respective reservation prices, wherein at teast one of these 
transmissions is carried out electronicaUy, and whenan a subset of trustees 
containing less than a given number of trustees does not possess any us^ 
infonnation sufiicient for reconstructing the reservation prices; and 

having the pluraUty of trustees participate in the electronic process by 
taking action to thereby determine whether the predetermined relationship exists, 
wherein the detefmination is made without reconstructing the reservation prices. 
2. Hie electronic process as described in Claim 1 further including the step 
of: 

) if the predetermined rdaUonship exists, having the trustees continue the 

dectronic process by providing information that commits the parties to the 
transaction at a price according to a given fwroula. 



-41- 



wo 97/24833 PCT/US97/00286 

3. The dectronic imKess as described m 
of: 

if the piedetamined idationship does not exist, having the trustees 
continue the electronic process by providing information that indicates that the 
5 transaction is not possible without indicating a party's respective reservation price 
to the other party* 

4. The dectnmic process as described in Claini 3 whmin the information 
does not reveal a party's les^vation price to the other party. 

5. The dectronic process as described in Claim 2 wherein the predet^mined 
10 relationship is SRP < or equal to BRP. 

6. The electronic process as described in Claim S wherein die givoi formula 
is SRP + BRP/2, 

7. The electronic process as described in Claim 1 wherein at least one of the 
trustees continues the electronic process by taking action with at least one of the 

IS pardes to dierd>y determine whether the predetermined rdadonship exists. 

8. The electronic process as described in Claim 1 wherein at least one of the 
trustees makes use of secure hardware. 

9. An dectrmic process executed by a first party and a second party, with 
assislaiK:e from at least one or more trustees, wherein the first party has a sdling 

20 reservation price (SRP) and the second party has a buying res^vation price (J3KP) 
and the parties are committed to die transaction if a predetermined rdationship 
between the reservation prices is established, but not otherwise, comprising the 
steps of: 



-42- 



WOW/24833 PCT/US97/0a286 

imtiating the dectionic |m)cess by having the first an^ 
compute shares of their respective reservation prices, wherein at least one of said 
parties uses an etectronic device for such computation; 

having each of the first and second parties transmit shares of their 
5 respective reservation prices to a set of players selected from a set comprising the 

first and second parties and at least one trustee, wherein a subset of players, 
containing less than a given number of players and not one of the parties, does not 
possess any useful information for reconstructing the reservation price of that 
party, and wherein at least one of the transmissions is carried out electronically; 

10 and 

having the players participate in the electronic process by taking action to 
thereby determine whether the predetermined relationship exists, wherein the 
determination is made without reconstructing tfie reservation prices. 
10. The electronic process as described in Claim 9 further including the step 

15 of: 

if the predetwmined relationship exists, having at least some of the play»s 
continue the electronic process by providing information that commits the parties 

to the transacdwi at a price according to a givoi formula. 

U. The electronic process as described in Claim 9 further including the stq» 

20 of: 

if the predetermined relationship does not exist, having at least some of the 
players continue the dectronic process by providing information that indicates that 
the transaction is not possible, wherdn the information does not reveal a party's 
reservation price to the other patty. 



-43- 



^^^'^ PCT/US97/0«286 

12. The electronic process as described in Claim 9 wheidn at least one player 
uses secure hardware. 

13. An dectionic process executed by a first party and a second party, with 
assistance from at least one trustee, wherdn the first party has a selling 
reservation price (SRP) and the second party has a buying reservation price (BRP) 
and the parties are committed to a transaction if a predetermined relationship 
betwem the reservation prices is established, but not otherwise, comprising the 
steps of: 

having each of the first and second parties transnut to die at least one 
trustee data that does not possess any useful information for ^tabling die trustee to 
reconstruct the res^vation prices, wherein at least erne of the transmissions is 
carried out dectimically; 

having at least one trustee partidpate in the electronic process by taking 
action to determine whethw tfie predet^mined relationship exists; and 

if the predetermined relationship exists, having at least one trustee continue 
die dectnmic process by providing information tiiat commits the parties to the 
transaction at a price according to a given formula; and 

if the preddermined relationship does not «ist, having at least one trustee 
continue the electronic process by providing information that indicates that the 
transaction is not possible without revealing the resovation prices. 

14. Hie electronic proc^ as described in Claim 13 wherdn, if the 
predetermined relationship (toes not exist, die information provided by the trustee 
does not reveal a party's reservation price to die other party. 

15. The electnmic process as described in Claim 13 wherein the predetermined 
relationship is SRP < or equal to BRP. 



wo 97/24833 PCT/US97/00286 

16. The electronic process as described in Caaim 15 wherein the given fonnula 
is SRP + BRP/2. 

17. The dectronic process as desctibei in Claim 13 wherdn the trustee 
conq>rises a secure inece of hardware. 

5 18. The dectronic process as described in Claim 13 wherein the trustee 
comprises a plurality of agents. 

19. The dectronic process as described in Claim 18 whoein the plurality of 
agents hold shares of a common secret key. 

20. An dectronic process executed by a first party and a second party, with 

10 assistance from at least one trusted party comprismg secure hardware, wherein the 
fiist party has a sdling reswvaHon price (SRP) and second party has a buying 
reservation price (BRP) and the parties are committed to a transaction if a 
predetermined relationship between the reservation prices is established to exist, 
but not otherwise, comprisii^ the stqM of: 

15 generating an encrypted version of each party's reservation price, wherein 

at least one of the encrypted veraons is generated using an electronic device: 

having the first party transmit to tfie trusted party the encrypted version of 
SRP and having the second party transmit to the trusted party the encrypted 
veraon of BRP, wherein at least of» of the transmissions is carried out 

20 dectronically; 

having at least one trasted par^ participate in the dectronic process by 
taking action to determine whether the predetermined relationship exists between 
the reservation prices without revealirig SRP and BRP outside the secure 
hardware; and 



-45- 



wo 97/24833 PCT/US97/00286 

having at least one trusted party continue the electronic process by 
transmitting result-information to each of the first and second parties, wherein the 
reservation prices are not revealed if the predetmnined relationship does not exist. 

21. The electronic process as described in Claim 20 wherein the predetermined 
S relationship is SRP < or equal to BRP, and wheieui if the trusted parly 

determines that SRP < or equal to BRP, the result-information commits tiie 
parties to the transaction at a price detmnined at a givm formula. 

22. The electrmic process as described in Claim 20 wh«ein the predetermined 
relationship is SRP < or equal to BRP, and whetdn if the trusted party 

10 ' determines that SRP > BRP, the result-information indicates that the transaction is 
not possible at that time without revealing the reservation price of one party to the 
other party. 

23. The electronic process as described in Claim 20 wherein in addition to the 
mcrypted vosion of the SRP, the first party also transmits to the trusted party 

15 additional information, wherein the additional information includes information 
selected from the following: a description of the transaction, a proof of the first 
party's willingness to enter into the transaction, an agreed transaction price if tiie 
predetermined relationship exists, date and time, and otiier transactim information. 

24. The dectronic process as described in Claim 23 wherein the encrypted 
20 version of the SRP and the additional information are digitally signed prior to 

transmission by Ae first party to the trusted party. 

25. The electronic process as (tescribed in Claim 20 wherein in addition to tiie 
encrypted veraon of the BRP, the second party also transmits to the trusted party 
additional information, wherein the additional information includes information 

25 selected from the following: a description of the transaction, a proof of the 

-46- 



wo 97/24833 PCT/US97/00286 

second party's wUlingness to enter into the transaction, an agreed transaction price 
,if the predetennined relationship exists, date and time, and other transaction 
information. 

26. The electr«Miic process as desoibed in Claim 25 wherran the enoypted 
S ver^on of tiie BRP and the additional informatim are digitally signed prior to 

transmisaon by the senmd party to the trusted party. 

27. The electronic process as described in Claim 20 wherein at least one of die 
first and second parties use secure hardware to encaypt thdr resqiective resovation 
price. 

10 28. An electronic process executed by a first party and a second party, with 
assistance from an invisible trusted party if needed, wherein die first party has a 
selling reservation price (SRP) and the second party has a buying reservation price 
(BRP) compriang the stq>s of: 

(1) having the first and second party agree to ocecute an ideal 

15 n^otiation that results in (a) a omimitment to a transaction if a predetcarmined 
relati<mship exists between the reservation prices or (b) no commitment and the 
detnmination tiiat the pced^ermined relationship does not exist without revealing 
the resovation prices; 

(2) having die first party and the second party exchange messages to 

20 attempt completion of the ideal negotiation, wherein at least one of the messages is 
exchanged dectronically and wheidn dtha party can determine wh^her the 
piedetomined relationship exists; and 

(3) if die ideal n^otiation is not comply in st^ (2), having the 
invifflble trustee take action to complete the ideal n^otiation. 



-47- 



wo 97f24S33 PCTAJS97/00286 

29. An dectrmic process executed by a first party and a second party, with 
assistance from an invisible trusted party if needed, wherein the first party has a 
selling reservation price (SRP) and the second party has a buying reservation price 
(BRP), wherein the first and second parties have agreed to an ideal negMiation that 
5 results in (a) a commitment to a transaction if a predetermined relaticmship exists 
between the reservation prices or (b) no commitment and the determination that ' 
the pred^muned idationship does not oist witfiout revealing the reservations 
prices, comprising the stqps of: 

(1) having the first party and the seccmd party exchange messages to 

10 attempt completion of the ideal negotiation, wherein at least one of the n^ssages is 
rachanged electrcmically; and 

(2) if one party does not comjriete certain actions required in slep (1), 
having the invisible trustee take action to complete the ideal negotiation; and 

wherein the trusted party comprises secure hardware. 
IS 30. The electronic process as described in Claims 1, 9 or 13 wherein the 

transacticm is sdected from at least one of the following types of transactions: a 
sale, a lease, a license and a finandng transaction. 

31. The dectronic process as described in Claim 30 wherein the transaction 
involves a commodity having a value within a predetermined upp^ and lower 

20 range, and wterdn the trustee is provicted a fee according to the value. 

32. An dectronic process executed by a first party and a second party, with 
assistance from an invisible trusted party if needed, wherdn the first party has a 
private value ""a*" and the second party has a private value *b" and the first and 
second parties have agreed to compute a given function T on thdr inputs "a" and 

25 comprising die st^s of: 



wo 97/24833 PCT/IJS97/Wn86 

(J) having the first paity and Ae second party exchange messagw 
enable each of the parties to obtain f(a,b) without revealing "a" and "b", wherein 
at least raic of the messages is exchanged dectrtmically and wherein dther party 
can determine whetho' the obtained value f(a,b) is correct; and 

S (2) if one party has not obtained f(a,b) in stq> (1), having the invisible 

trustee take action so that both parties can obtain f(a,b). 
33. An dectionic process executed by a first party and a second party, with 
assistance fiom at least one trustee, wherein the first party has a private first value 
and the secraid party has a private secmd value and the parties are committed to a 

10 transaction if a predetermined relationship between the first and second values is 
established, but not otherwise, and wherein each party's respective value is 
unknown to the odier party, comprising the stq>s of: 

initiating the dectronic process by having the first and second partes 
compute dm strings encoding thdr respective values, wherran at least one of said 

IS parties uses an dectronic device for sudi computation; 

having each of the first and second parties transmit to at least one trustee 
the data strings that encode thdr respective values, wherdn at least one of these 
transmissions is carried out dectronically, and wherdn at least one trustee does 
not possess any useful information sufficient for reconstructing the first and second 

20 values; and 

having at least <me trustee particqiate in the dectronic process by taking 
action to hdp detamine whether the predetormined rdationship exists, wherdn the 
determinatim is made without reamstructtng the private values. 



-49- 



7/24833 PCr/US97/D02S6 

34. The de^imuc process as described in Claim 33 further induding the stq> 
of: 

if the piedetenniited rdationship exists, having at least one trustee continue 
the electronic process by contributing information that he^ commit the parties to 
the transaction according to a given formula. 

35. The electronic process as described in Claim 33 further including the step 
of: 

if the predetermined relationship does not exist, having at least one trustee 
continue the electronic process by providing information that contributes to 
indicating that the transaction is not possible without thereby indicating the first 
and second private valws. 

36. An dectimic process executed by a first parly and a second party, witii 
assistance frmn at least one or more trustees, wherein the first party has a secret 
first value and the second party has a secret seccmd value and the parties are 
committed to the transaction if a predetermined rdationship betwem the first and 
second values is established, but not otherwise, wherein each party's respective 
private value is unknown to the other party, comprising the steps of: 

initiating the electrmiic process by having the first and second parties 
compute shares of thdr reqvecti ve values, wherean at least one of s^ parties uses 
an dectionic device for such computaticm; 

having each of the first and second parties transmit diares of their 
respective values to a set of players sdected from a set comprising the first and 
seocmd parties and at least one trustee, wherdn a subs^ of playos, containing less 
ttian a ffven number of players and not one of the parties, does not possess any 



-50- 



wo 97/24833 PCT/US97/D0286 
useful infomiatkm for reconstnicting the value of that party, and wherein at least 
one of the transmissi<ms is carried out electronically; and 

having the playos parti<^ate in the dectronic process by taking action to 
thoeby detennine whether the predetnmiiKd rdationship crisis, wherein the 
S determination is made widwut rec(Mistructing the first and second values. 

37. The electronic process as described in Claim 36 furdier including the stqp 
of: 

if die predetennined rdationship exists, having at least some of die players 
cmtinue the dectronic process by providing information that commits the parties 
10 to tfie transaction according to a given fminiila. 

38. The electronic process as described in Claim 36 further including the Siep 

of: 

if the predetennined rdationship does not «cist, having at least some of the 
players continue the electronic process by providing informadon that indicates diat 
15 the transacticm is not posable, wherein tiie information does not reveal a parQr's 
ivivate value to the other party. 

39. An electronic process executed by a first party and a second party, with 
assistance fiom at least one trustee, wherdn the first party has a private first value 
and the second party has a private second value and the parties arc committed to a 

20 transaction if a predetermined relationship between the first and second values is 
established, but not otherwise, wherein each party's respective value is unknown 
to the other party, comprising the Steps of: 

having eadi of the first and second parties transmit to at least one trustee 
data that does not possess any useful information for enabling the trustee to 

25 reconstruct the first and second values; 



wo 97/24833 PCT/US97/aa286 

having at least oi^ trustee partidp^ in the electronic process by taking 
action to d^ennine wh^er the piedetennined lelalion^p exists; and 

if the predetennined rdationship exists, having at least one trustee continue 
the electronic process by providing information that commits the parties to the 
5 transaction according to a given formula; 

if the predet^mined relationship does not exist, having at least one trustee 
continue the electronic process by providing information that indicates that the 
transaction is not possible witfiout revealing the first and second private values. 
40. An electronic process executed by a first party and a second party, with 
10 assistance from at least one trusted party comprising secure hardware, wherein the 
first party has a private first value and second party has a private second value and 
the parties are committed to a transaction if a predetermined relaticmship tetwem 
the first and second values is established to exist, but not otherwise, wherein each 
party's respective value is unknown to the othw party, conq>rising the steps of: 
IS generating an encrypted version of each party^s private value, wherein at 

least one of tfie encrypted versions is gmoated using an electronic device; 

having the first party transmit to the trusted party the encrypted version of 
the private first value and having the second party transmit to the trusted party the 
encrypted versicm of the private second value, vahmin at least one of the 
20 transmissicms is carried out electronically; 

having the trusted party participate in the dectronic process by taking 
action to determine whether the predetermined relationship exists without revealing 
the first and second private values outside the secwre hardware; and 



-52- 



wo 97/24833 PCT/US97/D(I286 

having the trusted paity contioue thct dectionic process by transmitting 
resuU-infonnadon to each of the first and second parties, wherein the private first 
and second values are not revealed if the pred^ermined relatioishq) does not exiA. 
41. An electronic process executed by a first party and a second parQr, with 
5 assistanoefitomaninvisibletrusledpartyif needed, wherein the first party has a 
private first value and the second party has a private second value, comprising tiie 
^qu of: 

(1) having die first and seccmd party agree to execute and dectronic 
negotiation that results in (a) a commitmoit to a transaction if a predetermined 

10 relationship exists between the private first and second values or (b) no 

commitment and the determination that the predetermined relationship does not 
exist without revealing the first and second values, and wheron eadi party's 
xespcctiv^ private value is unknown to the otha party; 

(2) having the first party and the second party exchange messages to 
15 attempt con^iletiwi of the dectronic n^otiation, whodn at least one of the 

messages is ecchanged dectronically and whodn ddier party can determine 
«^eth^ the dectronic n^otiation is complete; and 

(3) if the dectnmic negotiatim cannot be completed in step (2), having 
the invisible trustee take action to complete the dectronic n^otiation. 

20 42. An electronic process necuted by a first party and a second party, using 
secure hardware, whardn die first party has a private first value and the second 
party has a private second value and the parties are committed to a transaction if a 
predetnmined rdatioashq> between the Gtst and second values is established to 
exist, but not othowise, whodn each party's respective value is unknown to the 

25 other party, comprising the stq» of: 

-53- 



wo 97/24833 PCT/US97/00286 

providing the secure hardware the private first and second values, wherein 
at least one of the values is provided electronically; 

having the secure hardware d^^rmine whether the predetermined 
rdalionship exists without revealing the first and second private values outside the 
5 secure hardware; and 

having the secure hardware provide result^information to at least one of the 
first and secmd parties, wherein at least one of the private first and second values 
is not revealed cmtside the secure hardware if the predetermined relationship does 
not exist. 

10 43. The electronic process as des(^bed in Claim 42 wherein if the 

predetermined relationship exists, the result-information provided by the secure 
hardware indicates a transaction price by evaluating a predetermined function of 
the first and second private values. 

44. The electronic process as described in Claim 42 wherein the result- 
15 information is digitally signed. 

45. The diectronic process as described in Claim 42 wherein the result- 
information is digitally signed with other information. 

46. The electrcmic process as described in Claim 42 wh^n an initial 
agreement occurs between the first and second parties prior to the secure hardware 

20 providing the result-information. 

47. The electronic process as described in Claim 42 wherdn at least one of the 
first and second private values is provided to the secure hardware unencrypted. 

48. The electronic process as described in Claim 41 wheredn the first and 
second parties fiirther agree that a given penalty is imposed on a party that has 

25 been found to have deviated from prescribed steps of the dectnmic n^otialion. 

-54- 



wo 97/24833 PCT/US97/00286 

1/3 

FIG. 1 



RESULT INFORMATION 
COMMinED AR PRICE P / NO DEAL POSSIBLE 




I 



FIG. 2 



TRUSTEE 




SELLER BUYER 



wo 97/24833 



2/3 



PCT/US97/00286 



FIG. 3 




wo 97/24833 



PCTAJS97/00286 




RESULT 
DETERMINATION 



